Banner2.png

ANSPDCP (Romania) - S.P.E.E.H. Hidroelectrica SA

From GDPRhub
ANSPDCP - S.P.E.E.H. Hidroelectrica SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 25(1) GDPR
Article 25(2) GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 31.01.2025
Fine: 74,562 RON
Parties: S.P.E.E.H. Hidroelectrica SA
National Case Number/Name: S.P.E.E.H. Hidroelectrica SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: S.P.E.E.H. Hidroelectrica SA (in RO)
Initial Contributor: elu

The DPA fined a controller RON 74,562 (€15,000) after technical error during the launch of its app led to a data breach, i.e. the unauthorized data disclosure of personal data.

English Summary

Facts

The controller, S.P.E.E.H. Hidroelectrica SA, notified the DPA of a personal data breach as per Article 33 GDPR.

The DPA started an investigation, which revealed that, during the launch of the controller’s app, a technical error occurred. Such technical error resulted in unauthorised disclosure to personal data belonging to a significant number of data subjects.

Holding

The DPA held that, as the controller did not implement correctly the principles data protection by design and by default, as per Article 25(1) and (2) GDPR.

In fact, no protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by taking appropriate technical or organisational measures was put into place by the controller.

The DPA found that the controller violated Article 25(1) and (2) GDPR and deemed it appropriate to impose a fine of RON 74,562 (€15,000).

Additionally, the DPA ordered the controller to come up with appropriate technical implementation and procedure of a test plan, prior to the launch in production of the apps.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details. 

  

31.01.2025

Sanction for violation of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the operator S.P.E.E.H. HIDROELECTRICA S.A and found a violation of art. 25 para. (1) and para. (2) of Regulation (EU) 2016/679.

As such, the operator was sanctioned with a fine of 74,562 Lei (equivalent to 15,000 Euros).

The investigation was initiated following the transmission by the operator S.P.E.E.H. HIDROELECTRICA S.A of a notification of a personal data breach, according to the provisions of art. 33 of Regulation (EU) 2016/679.

During the investigation, it was found that the personal data security breach occurred within and at the time of launching the operator's application, as a result of a technical error and the failure to carry out sufficient testing of it in a test environment, which would simulate the real use environment in all processes and interactions with other applications used by the operator.

This situation led to the loss of integrity and availability of personal data, respectively to the unauthorized disclosure and/or unauthorized access to personal data belonging to a significant number of data subjects.

Consequently, since the operator did not process personal data in a manner that ensures their adequate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures, it was sanctioned with a fine, for violating the provisions of art. 25 para. (1) and para. (2) of Regulation (EU) 2016/679.

At the same time, the corrective measure of technical and procedural implementation of a test plan in the test environment, which would simulate the real production scenario in all plausible situations in the production environment, was ordered against the operator, prior to the launch into production of all components/applications that are intended to be introduced within the activities that include personal data processing.

The operator paid the established contravention fine.

Legal and Communication Department

A.N.S.P.D.C.P

 
 
Retrieved from "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_S.P.E.E.H._Hidroelectrica_SA&oldid=46179"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki