ANSPDCP (Romania) - Fine against Telekom Romania Communications

From GDPRhub
Revision as of 17:01, 19 June 2020 by AL (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against Telekom Romania Communications
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 58(2)(d) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 11.06.2020
Fine: 3000 EUR
Parties: Telekom Romania Communications SA
National Case Number/Name: Fine against Telekom Romania Communications
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: n/a

The Romanian DPA (ANSPDCP) fined Telekom Romania Communications SA € 3,000 for violation of Article 32 GDPR. The operator did not implement sufficient security measures to verify the accuracy of personal data it processed to conclude subscription contracts.

English Summary

Facts

The DPA received many complaints about the fraudulent use of individuals' personal data when Telekom Romania Communications SA concluded subscription contracts on their behalf.

Dispute

Holding

The DPA conducted an investigation and found that the operator did not implement sufficient security measures to include the verification of the accuracy of personal data collected by telephone (remotely) in order to conclude subscription contracts, violating Article 32 GDPR.

The DPA took also the corrective measure to order the operator to bring its processing operations into compliance with the GDPR according to Article 58(2)(d).

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National Supervisory Authority completed on 23.04.2020 an investigation at the operator Telekom Romania Communications SA and found the violation of the provisions of art. 32 of the General Regulation on Data Protection.

The operator Telekom Romania Communications SA was sanctioned with a fine of 14524.2 lei, the equivalent of 3,000 EURO.

The investigation was initiated following the receipt of complaints by which the petitioner complained about the fraudulent use of his personal data when concluding contracts on his behalf by Telekom Romania Communications SA.

During the investigation, the National Supervisory Authority found that the operator did not implement sufficient security measures to include the verification of the accuracy of personal data collected by telephone (remotely) in order to conclude contracts.

This fact led to an illegal processing of the petitioner's data by concluding subscription contracts in his name, using the personal data from the pre-existing contract, without verifying their correctness, contrary to the obligations provided by art. 32 of the RGPD. In this sense, art. 32 provides, among others, at par. (1) lit. b) and the obligation of the operator to implement appropriate technical and organizational measures, including the ability to ensure the confidentiality, integrity, availability and ongoing resilience of processing systems and services.

The corrective measure was also applied to the controller to ensure compliance with the RGPD of the operations of collection and further processing of personal data, by implementing effective procedures for the identification of persons, preventing the illegal processing of personal data and their unauthorized disclosure, both by the employees / collaborators of Telekom Romania Communications SA, and by the authorized persons and their employees / collaborators, as well as their regular training and the periodic verification of the observance of the given instructions, reported to art. 58 para. (2) lit. d) of the RGPD.