ANSPDCP (Romania) - Automobilus International SRL
| ANSPDCP - Automobilus International SRL | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 12.03.2025 |
| Fine: | 24,885 RON |
| Parties: | Automobilus International SRL |
| National Case Number/Name: | Automobilus International SRL |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal Protecţia Datelor Data Protection Protection des Donnees (in RO) |
| Initial Contributor: | elu |
The DPA fined a controller RON 24,885 (€5,000) after their database was illegally accessed as a result of the lack of appropriate technical and organizational measures to protect the integrity and confidentiality of personal data.
English Summary
Facts
An employee of the controller notified the DPA of a personal data breach, as required by Article 33 GDPR.
The notification concerned a security incident, whereby information from a database was illegally accessed. Such access to the information resulted from a vulnerability of one of the employee’s servers.
The personal data of the data subject concerned were: name, surname, telephone number, delivery address, belonging to a significant number of customers of the controller.
The DPA started an investigation, which revealed that the controller did not implement the appropriate technical and organizational measures to ensure the required security level.
Holding
The DPA held that the controller did not implement appropriate technical and organizational measures, as per Article 32(1) and (2) GDPR, to ensure a level of security appropriate to the risk of processing stemming from by the destruction, loss, alteration, unauthorized disclosure or unauthorised access to the personal data transmitted, stored and otherwise processed.
Moreover, such failure clashes with the principle of integrity and confidentiality laid out in Article 5(1)(f) GDPR.
The DPA found a violation of Article 5(1)(f) GDPR and Article 32(1) and (2) GDPR. Thus, the DPA deemed it appropriate to impose a fine of RON 24,885 (€5,000).
Additionally, the DPA recommended the controller to inform the affected data subjects of the security incidents and to put into place the technical and organizational measures adopted in order to remedy to the breach.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
12.03.2025 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed, in February 2025, an investigation at the operator Automobilus International S.R.L. and found a violation of art. 32 para. (1) and para. (2) of Regulation (EU) 2016/679. As such, the operator was sanctioned with a fine in the amount of 24,885 Lei, equivalent to the amount of 5,000 Euros. The investigation was initiated following the transmission by the operator Automobilus International S.R.L. of a notification of a personal data breach, according to the provisions of art. 33 of Regulation (EU) 2016/679. Thus, the operator reported a security incident, namely that information from its database was illegally accessed by a third party and at the same time the confidentiality of some personal data was lost. It was also notified that access to the information in the records system held was obtained by exploiting a vulnerability in one of the operator's servers. During the investigation, it was found that the operator did not implement adequate technical and organizational measures in order to ensure a level of security appropriate to the processing risk generated in particular, accidentally or unlawfully, by the destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored and otherwise processed, as it was obliged to do under art. 5 para. (1) letter f) of the GDPR. In this context, certain categories of personal data were illegally accessed, such as: name, surname, telephone number, delivery address, belonging to a significant number of the operator's clients. Thus, since no appropriate technical and organizational measures were taken to ensure an appropriate level of security, a violation of the provisions of art. 32 para. (1) and para. (2) of Regulation (EU) 2016/679 was found, and the operator was fined. At the same time, pursuant to art. 58 para. (2) letter d) of the Regulation, the corrective measure of informing the affected data subjects about the security incident, as well as about the technical and organizational measures adopted for the purpose of remediation by displaying a press release on the front page of the company's website, was ordered against the operator. Legal and Communication Department A.N.S.P.D.C.P
