ANSPDCP (Romania) - Fine against Your Consulting SRL
ANSPDCP - Fine against Your Consulting SRL | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 25(1) GDPR Article 32(1)(a) GDPR Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 32(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 16.10.2024 |
Fine: | 14.929,20 RON |
Parties: | Your Consulting SRL |
National Case Number/Name: | Fine against Your Consulting SRL |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | fb |
The DPA fined a controller RON 14.929,20 (€3,000) after inadequate technical measures led to a data breach.
English Summary
Facts
Between March and April 2024, a third party accessed wihtout authorisation personal data stored in the controller's server.
The data subject filed a complaint with the DPA.
Holding
First, the DPA noted that this data breach occurred because the controller did not implement adequate technical and organizational measures to ensure the security of the processing. This led to the unauthorised access to this data.
Therefore, the DPA found a violation of Articles 25(1), 32(1)(a), 32(1)(b), 32(1)(d) and 32(2) GDPR and issued a fine of RON 14.929,20 (€3,000).
Moreover, pursuant to Article 58(2) GDPR the DPA ordered the controller to implement a mechanism for regular testing, evaluation and assessment of the effectiveness of the measures adopted, taking into account the risk posed by the processing, in order to ensure an adequate level of security and to avoid similar security incidents in the future.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
16.10.2024 Penalty for GDPR violation The National Supervisory Authority completed an investigation at the operator Your Consulting SRL and found a violation of the provisions of art. 25 para. (1), art. 32 para. (1) lit. a), b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679. As such, the operator Your Consulting SRL was fined 14,929.20 lei (the equivalent of 3,000 EURO) for contravention. The investigation was started as a result of a notification that indicated that certain personal data had been disclosed through the operator's application https://your-scim.herokuapp.com. During the investigation it was found that the operator did not implement adequate technical and organizational measures at the time of establishing the means of processing or at the time of the processing itself and did not carry out the periodic testing, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the processing. This situation led to unauthorized access to personal data (name and surname, personal numerical code, number of nominally distributed holiday vouchers, total nominal value of holiday vouchers, date of return from child-rearing leave), of some natural persons, in period March - April 2024. In this context, the operator Your Consulting SRL was fined for violating the provisions of art. 25 para. (1), art. 32 para. (1) lit. a), b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679. At the same time, under the provisions of art. 58 para. (2) of Regulation (EU) 2016/679, the corrective measure was also ordered to implement a mechanism regarding the periodic testing, evaluation and assessment of the effectiveness of the adopted measures, taking into account the risk presented by the processing, in order to ensure an appropriate level of security and avoiding similar security incidents in the future. Legal and Communication Department A.N.S.P.D.C.P