ANSPDCP (Romania) - Fine against Curtea Veche Publishing SRL

From GDPRhub
Revision as of 08:25, 27 September 2022 by Jg (talk | contribs) (Short Summary: don't write 'EUR 5,000' but '€5,000'; changed the order and clarified the data subjects Facts: made the first paragraph more fluent; after introducing the controller (the publisher), keep referring to it as 'the controller' for clarity and consistency; don't write 'Authority' but 'DPA' for consistency; Holding: moved the first sentence to the Facts; split it multiple paragraphs and changed some of the language for fluency. Comments: add something about the press release)
ANSPDCP - Fine against Curtea Veche Publishing SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(c) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 21.09.2022
Fine: 5000 EUR
Parties: Curtea Veche Publishing SRL
National Case Number/Name: Fine against Curtea Veche Publishing SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a publisher €5,000 after two data breaches that affected 10.739 of its (former) customers and 100 of its employees and partners for a lack of adequate technical and organisational measures.

English Summary

Facts

The customer database of a Romanian publisher (the controller) was posted on an online forum, resulting in a data breach. The database included the name, phone number, email address, encrypted passwords and IP addresses corresponding to 10.739 of the controller's customers (the data subject's) between 2019-2021.

The controller had a second data breach that occurred due to a ransomware attack. The incident led to unauthorised access to and loss of personal data belonging to approximately 100 data subjects (the controller's employees and partners).

Following the two data breaches, the controller notified the Romanian DPA. After the notification, the DPA started an investigation.

Holding

The DPA found that the controller had not implemented adequate technical and organisational measures that would insure an appropriate level of security. The DPA therefore held that the controller violated Article 32(1)(b), (c) and 32(2) GDPR.

The DPA fined the controller approximately €5,000 (24,566 RON).

In addition, the DPA ordered the controller to review and update its technical and organisational measures, and to include additional IT security measures.

Comment

The Romanian DPA only publishes press releases. This summary is based on their press release.

The press release did not go into the technical and organisational measures that the controller had implemented and why they were insufficient.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

21.09.2022

Penalty for GDPR violation



In August 2022, the National Supervisory Authority completed an investigation at the operator Curtea Veche Publishing SRL and found a violation of the provisions of art. 32 para. (1) lit. b) and c) and para. (2) of the General Data Protection Regulation.

The operator was penalized for contravention with a fine of 24,566 lei (equivalent to 5000 EURO).

The investigation was started as a result of the transmission by the operator of some notifications of personal data security violations under the General Data Protection Regulation.

One of the data security breaches occurred as a result of the posting on a public forum of a file containing the operator's customer database from 2019 to 2021.

This situation led to the unauthorized disclosure of certain personal data, such as name, surname, telephone number, e-mail, password in encrypted form, IP address from which the user account was created, of a number of 10739 customers of the operator.

The second data security breach occurred as a result of a ransomware attack, which led to unauthorized access and loss of integrity and availability of certain personal data of approx. 100 data subjects (employees and collaborators of Curtea Veche Publishing SRL).

During the investigation, the National Supervisory Authority found that the operator did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk for the rights and freedoms of natural persons.

As such, the operator Curtea Veche Publishing SRL was fined 24,566 lei (the equivalent of 5000 EURO) for violating the provisions of art. 32 para. (1) lit. b) and c) and para. (2) of the General Data Protection Regulation.

At the same time, the operator was also given the corrective measure to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals and the work procedures related to the protection of personal data, including through the implementation of additional IT solutions data security.



Legal and Communication Department

A.N.S.P.D.C.P.