ANSPDCP (Romania) - Fine against Rețele Electrice Muntenia SA and Rețele Electrice Dobrogea SA

From GDPRhub
ANSPDCP - Fine against Rețele Electrice Muntenia SA and Rețele Electrice Dobrogea SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 25.06.2024
Fine: 19,904 RON
Parties: Rețele Electrice Muntenia SA
Rețele Electrice Dobrogea SA
National Case Number/Name: Fine against Rețele Electrice Muntenia SA and Rețele Electrice Dobrogea SA
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: naadiya.z

The DPA imposed a total fine of €4,000 (RON 19,904) to two electricity providers for failing to implement adequate technical and organisational measures, which allowed a data subject to access the personal data of other customers.

English Summary

Facts

A data subject logged into his account on the joint website of Rețele Electrice Muntenia SA and Rețele Electrice Dobrogea SA (‘controllers’) and was able to view the personal data of other customers of the controllers (name, surname, address, personal numerical code). The data subject lodged a complaint against the controllers with the Romanian DPA (‘ANSPDCP’).

Holding

Article 32(1) GDPR establishes that the controller must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Article 32(2) GDPR indicates that when assessing the appropriate level of security, the risks that are presented by processing must be taken into account, in particular the unauthorized disclosure of the personal data.

The ANSPDCP found that, in the present case, the controllers did not implement adequate technical and organisational measures in order to ensure a level of security appropriate to the processing risk, which led to unauthorized access by a third party to the personal data of other customers. The DPA held that this violated Article 32(1) and 32(2) GDPR.

Therefore, the DPA imposed a €3,000 (RON14,298) fine on Rețele Electrice Muntenia SA and a €1,000 (RON 4,976 lei) fine on Rețele Electrice Dobrogea SA. The DPA also ordered the controllers to implement periodic tests on their website.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details. 

25.06.2024

Penalty for GDPR violation

 

The National Supervisory Authority completed two investigations at the operators of Rețele Electrice Muntenia SA and Rețele Electrice Dobrogea SA, during which it found a violation of the provisions of art. 32 para. (1) lit. b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679.

As such, the operators were penalized with a fine for violating the aforementioned provisions, as follows:

- Rețele Electrice Muntenia SA - fine in the amount of 14,928.60 lei (the equivalent of 3000 EURO);

- Rețele Electrice Dobrogea SA - fine in the amount of 4,976.20 lei (the equivalent of 1000 EURO).

The investigations were started as a result of reports that indicated that a user connected to his account on the common website of the two operators, www.e.distributie.com, could view the personal data of other customers of the operators.

At the same time, the operators of Rețele Electrice Muntenia SA and Rețele Electrice Dobrogea SA sent our institution data security breach notifications regarding the reported issues.

During the investigations carried out, it was found that the operators did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk, including the ability to ensure the confidentiality of processing systems and services, which led to the unauthorized access of a third party to the personal data (surname, surname, street, city, personal numerical code) of some customers of the operators, thus violating the provisions of art. 32 para. (1) lit. b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679.

At the same time, under the provisions of art. 58 para. (2) of Regulation (EU) 2016/679, it was decided for the operators Rețele Electrice Dobrogea SA and Rețele Electrice Muntenia SA and the corrective measure to implement periodic testing for the online services offered to customers on the new web portal owned by these operators.

Legal and Communication Department 

A.N.S.P.D.C.P

 
Retrieved from "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Rețele_Electrice_Muntenia_SA_and_Rețele_Electrice_Dobrogea_SA&oldid=41869"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki