ANSPDCP (Romania) - Fine against E Software Concept SRL

From GDPRhub
Revision as of 16:31, 17 July 2022 by DianaR (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against E Software Concept SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 58(1)(a) GDPR
Article 58(1)(e) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 07.07.2022
Fine: 4000 EUR
Parties: n/a
National Case Number/Name: Fine against E Software Concept SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a controller approximately € 4,000 for not implementing appropriate technical and organisational measures, and for not replying to the DPA's inquiries during the investigation.

English Summary

Facts

The controller E SOFTWARE CONCEPT SRL published on their website several documents, including client invoices and tracking numbers for the parcels sent to their clients. These documents included the personal data of their clients, including names, surnames, delivery addresses, phone numbers, usernames, passwords and email addresses.

Holding

In May 2022, the Romanian DPA started an investigation against the controller and even if the DPA required further information regarding the security measures addopted by the controller, the controller did not reply to the formal request for information submitted by the Authority. As result, the controller was fined: - approximately € 1,000 (RON 4,945.54) for not answering the Authority's request, in breach of GDPR Article 58(1)a and e, and - approximately € 3,000 (RON 14,837.10 ) for not implementing the appropriate technical and organisational measures to ensure a proper level of security and confidentiality for personal data, in breach of GDPR Article 32(1)b and 32(2).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

07.07.2022

Fine for violation of RGPD



The National Supervisory Authority completed in May of this year an investigation at the operator E Software Concept SRL and found a violation of the provisions of art. 58 para. (1) lit. a) and e) and of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation.

As such, the company E Software Concept SRL was sanctioned for minor offenses as follows:

fine in the amount of 4,945.54 lei, the equivalent of 1000 EURO, as the operator did not provide the information requested by the Supervisory Authority; fine in the amount of 14,837.10 lei, the equivalent of 3000 EURO, as the operator did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk.

During the investigation, it was found that, on the operator's website, at certain links, certain documents were publicly available (such as invoices issued by E SOFTWARE CONCEPT SRL to its customers, individuals and legal entities, and AWBs - transport documents that must accompany the sending of parcels, issued by courier service applicants) by which the following personal data were revealed: name, surname, sender and consignee address, telephone number, username and password, e-mail addresses . This situation has led to the loss of confidentiality of personal data of the operator's customers (individuals and legal entities).

Thus, the company E SOFTWARE CONCEPT SRL was sanctioned with a fine for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation, as it has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing.

At the same time, the operator was fined for failing to comply with the request for information addressed by the National Supervisory Authority in the exercise of its powers.



Legal and Communication Department

A.N.S.P.D.C.P.