ANSPDCP (Romania) - Fine against Constanța South Container Terminal SRL
| ANSPDCP - Fine against Constanța South Container Terminal SRL | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1) GDPR Article 32(2) GDPR Article 33 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 17.09.2024 |
| Fine: | 14,929.50 RON |
| Parties: | Constanța South Container Terminal SRL |
| National Case Number/Name: | Fine against Constanța South Container Terminal SRL |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | fb |
The DPA fined a controller RON 14,929.50 (€3,000) after a data breach led to the unauthorised access and disclosure of its employees' personal data.
English Summary
Facts
The controller experienced a data breach regarding personal data of its employees in Romania (i.e. full name, date of birth, addresses, home telephone numbers and personal e-mails). This data was accessed by an unauthorised third party.
The controller notified this data breach to the DPA pursuant to Article 33 GDPR.
Holding
The DPA held that the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing.
Therefore, it found a violation of Article 32(1) and 32(2) GDPR.
On these grounds, it issued a fine of RON 14,929.50 (€3,000) and ordered the controller to review and update its technical and organizational measures concerning the security of personal data processed through its IT infrastructure, in particular those concerning the connection from outside the network to the data servers.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
17.09.2024 Penalty for GDPR violation The National Supervisory Authority for the Processing of Personal Data completed in August 2024 an investigation at the operator Constanța South Container Terminal SRL and found a violation of the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation. As such, Constanța South Container Terminal SRL was penalized for contravention with a fine of 14,929.50 lei (equivalent to 3000 EURO). The investigation was started as a result of a data security breach notification, based on the provisions of art. 33 of the General Data Protection Regulation, which was sent by the operator. The breach of data security consisted in the unauthorized access by a third party to the personal data (respectively the full name, date of birth, addresses, home telephone numbers and personal e-mails) of its employees in Romania (data subjects) located on a platform of file manager used by the operator and which was public on the Internet without having adequate security measures implemented. From the checks carried out, it emerged that the operator did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk, including the ability to ensure confidentiality, although the operator had the obligation to continuously ensure the security of personal data processing for its employees, in relation to the provisions of art. 32 of the General Data Protection Regulation. At the same time, the operator was also given the corrective measure to review and update the technical and organizational measures implemented regarding the security of personal data processed through the IT infrastructure used, especially those regarding the connection from outside the network to the data servers. Legal and Communication Department A.N.S.P.D.C.P
