ANSPDCP (Romania) - 07.12.2023
| ANSPDCP - 07.12.2023 | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 12(3) GDPR Article 12(4) GDPR Article 15(1) GDPR Article 32 GDPR Article 33(1) GDPR |
| Type: | Complaint |
| Outcome: | Other Outcome |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 24000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 07.12.2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Romanian |
| Original Source: | Romanian DPA (in RO) |
| Initial Contributor: | maxinescu |
Hora Credit IFN SA, a non-financial institution, was fined €24,000 following a data breach. The DPA found a violation of Article 32 GDPR, among others, since the institution sent documents containing the personal data of a client to the wrongful recipient.
English Summary
Facts
The Romanian DPA initiated an investigation regarding the practices of the non-financial institution Hora Credit IFN SA (the controller).
The investigation followed a complaint brought by a complainant, a client of the controller, claiming that the controller sent him by e-mail documents containing the personal data of another person, another client of the same controller.
Although the person receiving the e-mails notified the controller about the error that occurred, the controller did not remedy the respective error and continued to send messages to the wrongful recipient using the same e-mail address.
Holding
Following the investigation, the Romanian DPA assessed that the controller did not adopt sufficient security measures in line with Article 32 GDPR to prevent unauthorized disclosure of the complainant’s personal data to third parties. Furthermore, it was found that the controller did not notify the data breach to the DPA with the observance of Article 33(1) GDPR, respectively within 72 hours of having become aware of it.
Therefore, the DPA found the controller violated Article 32 GDPR, Article 33(1) GDPR, Article 15(1) GDPR and Article 12(3) and (4) GDPR and issued the controller a €24,000 fine.
The DPA also imposed the following corrective measures.
- Firstly, it requested the controller to ensure compliance with the GDPR and implement appropriate and effective security measures when dealing with data processing operations pertaining to the purpose of concluding and executing loan agreements, in order to respect professional secrecy and confidentiality of the personal data of the controller’s clients.
- Secondly, the DPA asked the controller to contact the complainant and request the deletion of the personal information they received.
- Additionally, it mandated the controller to implement an adequate internal policy for identifying risks, analyzing them and notifying the DPA in case of a data breach, in accordance with Article 33(1) GDPR.
- Lastly, the DPA requested the controller to inform its other client of the breach.
Comment
Unfortunately, the Romanian DPA does not publish its full decisions.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
https://www.dataprotection.ro/?page=Comunicat_Presa_07_12_2023&lang=ro
