ANSPDCP (Romania) - 13.11.2023

From GDPRhub
Revision as of 13:14, 21 November 2023 by Maxinescu (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=13.11.2023 |ECLI= |Original_Source_Name_1=Romanian DPA |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_13_11_2023&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - 13.11.2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 100,000 EUR
Parties: n/a
National Case Number/Name: 13.11.2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: maxinescu

Rompetrol Downstream SRL, a downstream gas operator was sanctioned with a fine of EUR 110,000 for a serious data breach affecting personal data of customer data which were accessed in an unauthorized manner and further disclosed.

English Summary

Facts

The DPA initiated this investigation following the transmission by the controller of several data breach notifications during 20.07.2021-03.02.2022, in accordance with Article 33 GDPR.

During the investigation, the DPA found that internal access and unauthorized use were repeatedly made of customer data from the software owned by the company and personal data of some customers were unlawfully disclosed in order to obtain loans from non-banking financial companies on their behalf.

More specifically, as a result of the data breach, personal data pertaining to controller’s customer data including data from the identity card (such as: name, surname, series and number of the identity card, personal numerical code, address, place of birth, photo) and data from the salary certificate (such as: name and surname of the employee, date, signature, income achieved, length of service) were unlawfully accessed and further disclosed for the above mentioned illicit purposes.

Holding

The DPA assessed that the controller did not take sufficient measures to ensure that any individual acting under its authority and having access to personal data processes them only upon controller’s request. Furthermore, the DPA found that the controller has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing.

Comment

Unfortunately, the Romanian DPA does not publish its full decisions. This case presents however critical importance due to the potential criminal activities which were discovered by the DPA in relation to the unauthorized access and misuse of customer information and highlights the need for companies to enforce stringent controls at the internal level.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

13.11.2023

Fine for violation of art. 32 of the GDPR



The National Supervisory Authority completed, in October 2023, an investigation at the operator Rompetrol Downstream SRL and found a violation of the provisions of art. 32 para. (4) in conjunction with art. 32 para. (1) lit. b) and art. 32 para. (2) of Regulation (EU) 2016/679.

As such, the operator was penalized with a fine of 546,073.00 lei (the equivalent of 110,000 EURO).

The investigation was started as a result of the transmission by the operator of several notifications of violations of the security of personal data, between 20.07.2021 and 3.02.2022, according to art. 33 of Regulation (EU) 2016/679.

As part of the investigation, it turned out that the data of some customers from the computer program owned by the company was accessed from the internal level and used in an unauthorized manner, repeatedly, and the personal data of some customers were illegally disclosed for the purpose of obtaining loans from non-banking financial companies on their behalf.

Through the incident, the personal data of some concerned persons, data from the identity card (such as: name, first name, series and number of the identity card, personal numerical code, address, place of birth, photo) and data were disclosed without authorization from the salary certificate (such as: the employee's name and surname, date, signature, earned income, seniority).

The National Supervisory Authority found that Rompetrol Downstream SRL did not take measures to ensure that any natural person who acts under the authority of the operator and has access to personal data does not process them except at his request, nor did he implement technical and organizational measures adequate in order to ensure a level of security corresponding to the processing risk.



Legal and Communication Department

A.N.S.P.D.C.P