ANSPDCP (Romania) - Fine against Your Consulting SRL

From GDPRhub
Revision as of 09:22, 17 October 2024 by Fb (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=Fine against Your Consulting SRL |ECLI= |Original_Source_Name_1=ANSPDCP |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_16_10_2024&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Or...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against Your Consulting SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 25(1) GDPR
Article 32(1)(a) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 16.10.2024
Fine: 14.929,20 RON
Parties: Your Consulting SRL
National Case Number/Name: Fine against Your Consulting SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: fb

The DPA fined a controller RON 14.929,20 (€3,000) after the implementation of inadequate technical measures led to a data breach.

English Summary

Facts

Between March and April 2024, a third party accessed wihtout authorisation personal data stored in the controller's server.

The data subject filed a complaint with the DPA.

Holding

First, the DPA noted that this data breach occurred because the controller did not implement adequate technical and organizational measures to ensure the security of the processing. This led to the unauthorised access to this data.

Therefore, the DPA found a violation of Articles 25(1), 32(1)(a), 32(1)(b), 32(1)(d) and 32(2) GDPR and issued a fine of RON 14.929,20 (€3,000).

Moreover, pursuant to Article 58(2) GDPR the DPA ordered the controller to implement a mechanism for regular testing, evaluation and assessment of the effectiveness of the measures adopted, taking into account the risk posed by the processing, in order to ensure an adequate level of security and to avoid similar security incidents in the future.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

16.10.2024

Penalty for GDPR violation

 

The National Supervisory Authority completed an investigation at the operator Your Consulting SRL and found a violation of the provisions of art. 25 para. (1), art. 32 para. (1) lit. a), b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679.

As such, the operator Your Consulting SRL was fined 14,929.20 lei (the equivalent of 3,000 EURO) for contravention.

The investigation was started as a result of a notification that indicated that certain personal data had been disclosed through the operator's application https://your-scim.herokuapp.com.

During the investigation it was found that the operator did not implement adequate technical and organizational measures at the time of establishing the means of processing or at the time of the processing itself and did not carry out the periodic testing, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the processing.

This situation led to unauthorized access to personal data (name and surname, personal numerical code, number of nominally distributed holiday vouchers, total nominal value of holiday vouchers, date of return from child-rearing leave), of some natural persons, in period March - April 2024.

In this context, the operator Your Consulting SRL was fined for violating the provisions of art. 25 para. (1), art. 32 para. (1) lit. a), b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679.

At the same time, under the provisions of art. 58 para. (2) of Regulation (EU) 2016/679, the corrective measure was also ordered to implement a mechanism regarding the periodic testing, evaluation and assessment of the effectiveness of the adopted measures, taking into account the risk presented by the processing, in order to ensure an appropriate level of security and avoiding similar security incidents in the future.

Legal and Communication Department    

A.N.S.P.D.C.P