ANSPDCP (Romania) - Fine against World Class Romania S.A.

From GDPRhub
ANSPDCP (Romania) - Fine against World Class Romania S.A.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 07.05.2021
Fine: 9851 RON
Parties: World Class România S.A.
National Case Number/Name: Fine against World Class Romania S.A.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a controller approximately €2000 (RON 9 851) for breaching Article 32 GDPR by publishing the resignation request of a former employee on its employee WhatsApp group.

English Summary

Facts

The controller World Class Romania S.A. made available a resignation request of a former employee on the employees' WhatsApp group.

Holding

The Romanian DPA held that the controller did not implement appropriate technical and organisational measures to ensure an appropriate level of data confidentiality, considering that all the members of the WhatsApp group had access to the personal data included in the resignation request.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National Supervisory Authority completed, in April 2021, an investigation of the controller World Class Romania S.A., finding the violation of the provisions of art. 32 of the General Data Protection Regulation.

As such, the controller World Class Romania S.A. was sanctioned with a fine in the amount of 9,851.00 RON (the equivalent of 2000 EUR).

The investigation was initiated following a notification and the National Supervisory Authority found that the controller World Class Romania S.A. posted on the WhatsApp group of its employees a resignation request of one of its employees, thus allowing unauthorized access of all members of that WhatsApp group to certain personal data (name, surname, address, personal number and identity card, code personal information, information related to the request for termination of employment).

In this context, the National Supervisory Authority considered that the controller World Class Romania S.A. did not take sufficient technical and organizational measures to ensure the confidentiality of the data subject's personal data.

A corrective measure was also applied to the controller World Class Romania S.A. Thus, within 30 days from the communication date, the controller was ordered to ensure compliance with the General Data Protection Regulation, personal data processing operations, by implementing appropriate technical and organizational measures in case of remote transmission of personal data, including in terms of regular employee training.