Banner1.jpg

ANSPDCP (Romania) - Vodafone Romania S.A.

From GDPRhub
Revision as of 09:45, 27 January 2025 by Elu (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=Vodafone Romania S.A. |ECLI= |Original_Source_Name_1=Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_20_01_2025&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Vodafone Romania S.A.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(4) GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 74,526 RON
Parties: Vodafone Romania S.A.
National Case Number/Name: Vodafone Romania S.A.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO)
Initial Contributor: elu

The DPA fined Vodafone Romania RON 74,526 (€15,000) after its employees engaged in unlawful personal data processing, such as, among others, the transmission via WhatsApp by an employee of a screenshot containing personal data.

English Summary

Facts

Vodafone Romania S.A., the controller, notified the DPA of a personal data breach, pursuant to Article 33 GDPR.

The investigation revealed that the controller´s employees did not respect data confidentiality of their clients´ data, the data subjects, especially with regards of clients´ name, surname, e-mail addresses, customer code, and customer address. The data breach in question referred to different situations, among which:

- the unlawful transmission of a data subject´s invoice to a third party;

- not hiding data subjects´ email addresses and not selecting the “Blind carbon copy” option in email correspondence concerning changes in a client’s account manager;

- the transmission via WhatsApp by an employee of a screenshot containing personal data present in the employee´s application interface;

- the mistaken transmission of a data subject´s invoice to a third party.

All these incidents entailed the disclosure of data and the subsequent access of employees to data subjects´ personal data.

Holding

According to the DPA, the findings of the investigations indicated that the controller did not put into place appropriate technical and organizational measures to ensure that employees that had access to their personal data only processes them if there is a need of the controller to do so. Moreover, no technical or organizational measures existed in relation to ensure that the level of security is appropriate to the risk of processing, such as for instance, ensuring data confidentiality and integrity.

The DPA found a violation of Article 32(4) and (1)(b) GDPR and deemed it appropriate to impose a fine of RON 74,526 (€15,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

20.01.2025

Sanction for violation of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in December 2024, several investigations at the operator Vodafone Romania S.A. and found a violation of the provisions of art. 32 paragraph (4) in conjunction with art. 32 paragraph (1) letter b of Regulation (EU) 2016/679.

As such, the operator was sanctioned with a fine of 74,526 Lei (equivalent to 15,000 Euros).

The investigations were initiated following the transmission by the operator of several notifications of personal data security breaches, according to the provisions of art. 33 of Regulation (EU) 2016/679, but also following some complaints.

The investigations revealed that, repeatedly, the operator Vodafone Romania S.A. failed to ensure the confidentiality of data belonging to several data subjects, customers of the company (name, surname, e-mail addresses, CNP, Customer Code and customer address), as a result of the failure to comply with the policies and work procedures regarding the processing of personal data by its employees or authorized persons.

The data security breach was determined by situations such as:

the unauthorized transmission of a photo with the details of a data subject's invoice to a third party; failure to hide the recipients' e-mail addresses and failure to select the "BCC" (blind carbon copy) option when informing data subjects of changes regarding their account manager; the transmission via WhatsApp by an employee of an authorized person of a photo containing a screenshot of data displayed in the operator's application interface; the erroneous transmission of an invoice belonging to a data subject to a third party.

The incidents led to the disclosure and unauthorized access to the personal data of several data subjects.

Thus, it was found that the operator did not take appropriate technical and organizational measures to ensure that any natural person acting under its authority and having access to the personal data only processes them at their request and did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of data processing, including the ability to ensure their confidentiality and integrity.

For these acts, the operator was fined for violating the provisions of art. 32 para. (4) in conjunction with art. 32 para. (1) letter. b) of Regulation (EU) 2016/679.

The operator paid the established misdemeanor fine.

 

Legal and Communication Department

A.N.S.P.D.C.P