ANSPDCP (Romania) - Fine against Vodafone România S.A. 4
ANSPDCP (Romania) - Fine against Vodafone România S.A. 4 | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Articles 3(1), 3(3)a and 3(3)b of the Law no. 506/2004 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 27.05.2021 |
Fine: | 5000 RON |
Parties: | Vodafone România |
National Case Number/Name: | Fine against Vodafone România S.A. 4 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | Diana Rosu |
The Romanian DPA fined Vodafone Romania RON 5,000 (approximately €1,000) for not taking the necessary measures to prevent a data breach that lead to the transmission of some of its clients' invoices to third parties.
English Summary
Facts
Following a data breach notification from the controller Vodafone Romania, the Romanian DPA started an investigation and found that Vodafone wrongfully sent some of its clients' invoices to third parties.
Dispute
Holding
Due to the fact that the invoices contained personal data of its clients, Vodafone Romania was fined RON 5,000 (approximately €1,000) for not taking the necessary measures to ensure data security and to prevent unauthorised access.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
The National Supervisory Authority completed in May of this year an investigation of the controller Vodafone Romania S.A. and found a violation of the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. 506/2004, amended and supplemented. As such, the controller Vodafone Romania S.A. was sanctioned with a fine of 5,000 RON. The investigation was initiated as a result of a notification of a personal data breach that was transmitted by the controller, based on the provisions of art. 33 of the General Data Protection Regulation. In it, it was found that the related invoices of some Vodafone customers were erroneously sent to the e-mail addresses of third parties. This led to the processing and unauthorized access to certain personal data of Vodafone customers, such as name, surname, telephone number, customer code, address. Therefore, the National Supervisory Authority found that the controller did not take adequate technical and organizational measures to ensure the security of the processing of personal data, ensuring that personal data can be accessed only by persons authorized for the purposes authorized by law and protect personal data stored or transmitted against unlawful processing, access or disclosure. On this occasion, we reiterate the need for internal training of employees by each controller on the rules of personal data protection, part of the mandatory organizational measures incumbent on him.