Banner1.jpg

ANSPDCP (Romania) - Unirea S.R.L. Medical Center

From GDPRhub
ANSPDCP - Unirea S.R.L. Medical Center
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 24 GDPR
Article 32(1)(b) GDPR
Article 58(2)(d) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 9,953 RON
Parties: Unirea S.R.L. Medical Center
National Case Number/Name: Unirea S.R.L. Medical Center
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO)
Initial Contributor: elu

The DPA imposed a fine of RON 9,953 (€2,000) to the largest private healthcare network in Romania after the credentials to access a data subject´s e-mail account were publicly exposed by displaying them on the computer monitor.

English Summary

Facts

A complaint was advanced by the data subject against Unirea S.R.L. Medical Center, the largest private healthcare network in Romania, the controller. The data subject claimed that, upon collection of biological samples of the data subject, the credentials of access to their e-mail account were publicly exposed. The public display of personal data happened through a computer monitor.

Following this complaint, the DPA started an investigation.

Holding

The DPA found that the controller did not adopt appropriate technical and organisation measures to ensure a level of security appropriate to the risk of processing, as per Article 24 GDPR.

Among these measures, there is the obligation to ensure confidentiality with regards to the data subject´s personal data, as laid out under Article 32(1)(b) GDPR. This obligation was breached, at least at the time of the incident due to the public exposition on the computer monitor of the data subject´s personal data.

Therefore, the DPA deemed it appropriate to impose a fine of RON 9,953 (€2,000) due to the controller´s violation of Articles 24 and 32 GDPR.

Additionally, the DPA ordered the controller to implement the following corrective measures, as allowed per their powers laid out in Article 58(2)(d) GDPR. First, it compelled the controller to train their employees, regarding their obligations under the GDPR, including the risks and consequences of personal data processing. Second, it required the controller to adopt an updated password policy to ensure users´ privacy.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

13.01.2025

Sanction for violation of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed an investigation in 2024 at the operator Centrul Medical Unirea S.R.L. and found a violation of the provisions of art. 24 and art. 32 of Regulation (EU) 2016/679 (GDPR).

As such, the operator was fined a fine of 9,953 Lei (equivalent to 2,000 Euros).

The investigation was initiated following a complaint regarding a possible violation of Regulation (EU) 2016/679, regarding the security of personal data.

The complainant complained that, at a medical work point for collecting biological samples of the operator, the access credentials to his e-mail account were publicly exposed, by displaying them on the computer monitor.

Consequently, it was found that the operator did not adopt adequate technical and organizational measures in order to ensure a level of security appropriate to the risk of the processing, including the ability to ensure the confidentiality of the personal data of some data subjects, which allowed unauthorized access to them, at least at the date of the complaint of the incident.

As such, this act represents a violation of the provisions of art. 32 of Regulation (EU) 2016/679, the operator being sanctioned with a fine.

At the same time, pursuant to art. 58 par. (2) lit. d) of the GDPR, the following corrective measures were ordered:

training of persons acting under the authority of the controller, regarding their obligations under the GDPR, including regarding the risks and consequences involved in the processing of personal data. adopting an updated password policy that also includes rules regarding the confidentiality of user credentials.

The controller paid the established contravention fine.

Legal and Communication Department

A.N.S.P.D.C.P