ANSPDCP (Romania) - Fine against Profi Rom Food Srl

From GDPRhub
Revision as of 13:35, 29 October 2024 by Fb (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against Profi Rom Food Srl
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 23.10.2024
Fine: 49,744 RON
Parties: Profi Rom Food Srl
National Case Number/Name: Fine against Profi Rom Food Srl
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: fb

The DPA fined a supermarket RON 49,744 (€10,000) after it forwarded personal data of its employees to a third party without a legal basis.

English Summary

Facts

An investigation carried out by the DPA showed that the controller had forwarded copies of the identity cards of its employees to a company providing unspecified services for it. These copies contained the data subjects' name, surname, personal identification number, address, ID card number, place of birth and picture.

Moreover, an employee of the controller took pictures of his working computer screen with a personal mobile phone. These pictures contained personal data. This employee then shared these pictures in a WhatsApp group chat. After becoming aware of this data breach, the controller notified the DPA according to Article 33 GDPR.

Holding

First, the DPA found that the controller transferred the copies of the ID cards to a third party without a legal basis. Therefore, it found a violation of Article 5(1)(a), 5(2) and 6(1) GDPR.

Second, as for the data breach notified by the controller, the DPA found a violation of Article 32(1)(b), 32(2) and 32(4) GDPR.

On these grounds, the DPA issued a fine of RON 49,744 (€10,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

23.10.2024

Penalty for GDPR violation

 

In September 2024, the National Supervisory Authority for the Processing of Personal Data completed an investigation at the operator Profi Rom Food Srl and found a violation of the provisions of art. 5 paragraph (1) lit. a) and para. (2) related to art. 6 para. (1), as well as the violation of the provisions of art. 32 para. (1) lit. b), art. 32 para. (2) and para. (4) of Regulation (EU) 2016/679.

As such, the operator was sanctioned with:

fine in the amount of 49,744 Ron (the equivalent of 10,000 Euro) for violating the provisions of art. 5 paragraph (1) lit. a) and para. (2) related to art. 6 para. (1) of Regulation (EU) 2016/679. warning for violating the provisions of art. 32 para. (1) lit. b), art. 32 para. (2) and para. (4) of Regulation (EU) 2016/679.

During the investigation carried out as a result of a notification, it was found that Profi Rom Food Srl sent copies of the identity cards of several employees of the operator to a company that provides certain services for the operator, without having any legal basis.

This situation led to the unauthorized access to personal data (name, surname, personal numerical code, identity card series and number, home address, gender, citizenship, place of birth and photo) contained in the identity cards of the above-mentioned persons .

As such, Profi Rom Food Srl was fined for violating the provisions of art. 5 para. (1) lit. a) and para. (2) related to art. 6 para. (1) of Regulation (EU) 2016/679.

On the other hand, as a result of the transmission by Profi Rom Food Srl of a notification of violation of the security of personal data under Regulation (EU) 2016/679, a warning was applied for the violation of the provisions of art. 32 para. (1) lit. b), art. 32 para. (2) and para. (4) of the Regulation.

During the investigation, it was found that an employee of the operator captured with his personal phone, from the monitor belonging to Profi Rom Food Srl, video recordings that were later transmitted between the operator's employees using the "WhatsApp" Messenger application.

The created situation led to the unauthorized disclosure in the public space of the personal data (image) of some natural persons, thus violating the provisions of art. 32 para. (1) lit. b), art. 32 para. (2) and para. (4) of Regulation (EU) 2016/679.

Also, during the investigation, it was found that the operator did not take measures to ensure that any person who acts under his authority and has access to personal data, only processes it at the request of the operator.

At the same time, based on the provisions of art. 58 para. (2) lit. b) from Regulation (EU) 2016/679, the following corrective measures were ordered for the operator:

to process personal data at the level of the operator, in the case of persons who are designated to participate in professional training courses, in compliance with the rules and principles provided for in art. 5 and 6 of Regulation (EU) 2016/679; to implement appropriate and effective technical and organizational measures that limit access to images and video recordings only to persons authorized or designated in this regard by the operator's decision and only in the event of incidents related to the purpose of installing these video surveillance cameras, reported for the purpose of processing, in compliance with the legislation in force and Regulation (EU) 2016/679; to regularly train the persons who process personal data under the authority of Profi Rom Food Srl.

 

Legal and Communication Department    

A.N.S.P.D.C.P