ANSPDCP (Romania) - Fine against Bitfactor SRL

From GDPRhub
Revision as of 19:20, 26 September 2022 by DianaR (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against Bitfactor SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 25(1) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 22.09.2022
Fine: 2000 EUR
Parties: Bitfactor SRL
National Case Number/Name: Fine against Bitfactor SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a controller approximately EUR 2,000 over the lack of adequate technical and organisational measures that would protect personal data both at rest and in transit, which led to a data breach affecting 1757 data subjects.

English Summary

Facts

A data controller had a data breach due to technical malfunctions of its service used for marketing communications, affecting the personal data of 2757 data subjects (users of the controller's website).

The controller notified the incident to the Romanian Authority.

Holding

Following the notification, the Romanian DPA started an investigation of the controller and identified a lack of adequate technical and organisational measures that will ensure personal data is protected both in transit and at rest. As a result, the controller was found in breach of GDPR Articles 25(1), 32(1)b, d and 32(2) and was fined approximately EUR 2,000 (RON 9,852.8).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

22.09.2022

A new penalty for breaching GDPR



In August 2022, the National Supervisory Authority completed an investigation at the Bitfactor SRL operator and found a violation of the provisions of art. 25 para. (1) and art. 32 para. (1) and para. (2) of the General Data Protection Regulation.

The operator Bitfactor SRL was fined 9,852.8 lei (the equivalent of 2000 EURO) for contravention.

The investigation was started as a result of the transmission by the operator of a notification of a breach of the security of personal data under the General Data Protection Regulation.

The data breach occurred as a result of the malfunctioning of an application of the operator that sent marketing communications to users of its website, which led to a breach of the privacy of the personal data of a number of 1757 data subjects, users of the website of the operator.

During the investigation, it was found that the operator did not implement adequate technical and organizational measures, which would continuously protect the personal data of the persons concerned, both at the time of establishing the means of processing, and at the time of the processing itself, intended to put in effectively apply the principles of data protection and integrate the necessary guarantees within the processing, although, according to art. 5 lit. f) from the General Data Protection Regulation, the operator had the obligation to respect the principle of integrity and confidentiality.

In this context, we emphasize that art. 25 para. (1) of the General Regulation on Data Protection, states that "the operator, both at the time of establishing the means of processing, and at the time of the processing itself, implements appropriate technical and organizational measures, such as pseudonymization, which are intended to effectively implement data protection principles, such as data minimization, and integrate the necessary safeguards into the processing, to meet the requirements of this regulation and protect the rights of data subjects."

Also, recital (78) of the General Data Protection Regulation establishes that "the operator should adopt internal policies and implement measures that respect in particular the principle of data protection from the moment of conception and that of implicit data protection."

As such, the operator Bitfactor SRL was fined 9,852.8 lei (the equivalent of 2000 EURO) for violating the provisions of art. 25 para. (1) and art. 32 para. (1) lit. b), d) and para. (2) of the General Data Protection Regulation.

Legal and Communication Department

A.N.S.P.D.C.P.