ANSPDCP (Romania) - Vodafone România SA

From GDPRhub
Revision as of 17:46, 20 September 2022 by Dana.duta (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Vodafone România SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 29 GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 19.09.2022
Fine: 2,000 EUR
Parties: Vodafone România SA
National Case Number/Name: Vodafone România SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Daniela Duta

The Romanian DPA fined a telecommunications operator for failing to verify compliance with the caller identification procedure by its processors that allowed third parties to fraudulently purchase phones on behalf of the controller's customers.

English Summary

Facts

The Romanian DPA has completed an investigation at Vodafone Romania SA started as a result of the transmission by the controller of two security data breach notifications. During the investigation, ANSPDCP found that the controller failed to check the procedure applicable for verifying the caller identification by the processors.

This situation allowed third parties to access data from contracts concluded by customers with the controller and data from personal My Vodafone accounts, such as: name, surname, address, personal identification number, contact phone number, PUK code, contact number of the account holder, the SIM series of the original card, the amount of the last unpaid bill and the data traffic.


Holding

The Romanian DPA completed an investigation at Vodafone Romania SA and found a violation of the provisions of Article 29 GDPR, Article 32(1)(b) GDPR, Article 32(2) GDPR, Article 32(4) GDPR Consequently, the DPA fined the controller €2,000.

The telecom operator failed to adopt sufficient guarantees to ensure that any individual acting on behalf of the controller having access to personal data only processes them upon the instructions of the controller and failed to implement adequate technical and organizational measures  to ensure an adequate level of protection.


Comment

This summary is based on a press release of the Romanian DPA.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

19.09.2022

A new penalty for breaching GDPR



The National Supervisory Authority completed an investigation at the Vodafone Romania SA operator and found a violation of the provisions of art. 29 and art. 32 para. (1) lit. b), paragraph (2) and para. (4) of the General Data Protection Regulation.

The Vodafone Romania SA operator was fined 9,890.8 lei (the equivalent of 2000 EURO).

The investigation was started as a result of the transmission by the operator of two notifications of a breach of the security of personal data under the General Data Protection Regulation.

During the investigation, it was found that the operator Vodafone Romania SA did not check compliance with the caller identification procedure by its representatives, which allowed third parties to fraudulently purchase new phones on behalf of some of the operator's customers.

Also, this situation allowed third parties to access data from contracts concluded by customers with the operator and data from My Vodafone personal accounts, such as: name, first name, address, personal code, contact phone number, PUK code, the contact number of the account holder, the SIM series of the original card, the amount of the last unpaid bill and the data traffic.

At the same time, the National Supervisory Authority found that Vodafone Romania SA did not adopt sufficient measures to ensure that any natural person who acts under the authority of the operator and who has access to personal data only processes them at the request of the operator and did not implement appropriate technical and organizational measures to ensure a level of confidentiality and security corresponding to the risk of processing.

As such, the operator Vodafone Romania SA was fined for violating the provisions of art. 29 and art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation.



Legal and Communication Department

A.N.S.P.D.C.P.