ANSPDCP (Romania) - 17-03-2023/2

From GDPRhub
ANSPDCP - 17-03-2023/2
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 19,646 RON
Parties: Partidul Uniunea Salvați România
National Case Number/Name: 17-03-2023/2
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: ls

The Romanian DPA imposed a Є4,000 fine to a controller who suffered a cyberattack followed by data breaches for not ensuring a sufficient level of security.

English Summary[edit | edit source]

Facts[edit | edit source]

The political party Partidul Uniunea Salvați România (Controller) reported to the DPA that as a result of a cyber-attack, the data it stored on an application server had been lost. The data included surnames, first names, email addresses, telephone numbers and political affiliation data.

Holding[edit | edit source]

The DPA considered that the controller did not take appropriate technical and organisational measures to ensure data security. It gave the example of encryption or pseudonymisation. As a result, it found a violation of Article 32(1) and 32(2) GDPR and imposed a fine of RON19,646 (approximately Є4,000).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

15.03.2023

penalties



1. In February of the current year, the National Supervisory Authority completed an investigation at the operator Alliance for the Romanian Union and found a violation of the provisions of art. 5 para. (1) lit. c) and para. (2) of the General Data Protection Regulation (RGPD).

As such, the Alliance for the Union of Romanians was fined 49,115 lei, the equivalent of 10,000 EURO.

The sanction was applied as a result of reports claiming that the operator collects personal data through a website, without informing the persons concerned and without fulfilling the conditions regarding the legality of the processing.

During the investigation it was found that personal data (surname, surname, address, series and number of identity card, personal numerical code, telephone, signature) were collected by filling in and signing the online form on the respective website , by sending the downloaded/completed/signed form by post, as well as by completing and signing the form at the special centers organized by the Alliance for the Union of Romanians.

This situation led to the processing of personal data of a significant number of concerned persons in violation of the principles of personal data processing provided for in art. 5 para. (1) lit. c) ("data minimization") and para. (2) of the GDPR ("responsibility").



2. In February of the current year, the National Supervisory Authority completed another investigation at the operator Party Uniunea Salvați Romania and found a violation of the provisions of art. 32 para. (1) lit. a) and para. (2) of the General Data Protection Regulation (RGPD).

As such, the Save Romania Union Party was fined 19,646 lei, the equivalent of 4,000 EURO.

The investigation was started as a result of the transmission by the operator of personal data security breach notifications under the General Data Protection Regulation.

The data breach occurred as a result of the loss of confidentiality and integrity of data stored in an operator's server hosting an application that was subjected to a phishing attack.

During the investigation, it was found that the operator did not implement adequate technical and organizational measures to ensure an appropriate level of security, such as the encryption/pseudonymization of personal data stored in the respective application, which led to the loss of the confidentiality of the data processed by accessing unauthorized use of personal data such as name, surname, personal number code, e-mail, telephone number, political affiliation data.

At the same time, the operator was also applied the corrective measure to ensure compliance with the RGPD of personal data processing operations, by implementing appropriate technical and organizational measures, as a result of the assessment of the risk for the rights and freedoms of individuals, including the work procedures regarding to the protection of personal data.



Legal and Communication Department

A.N.S.P.D.C.P.