ANSPDCP (Romania) - 21.08.2023

From GDPRhub
ANSPDCP - 21.08.2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 25 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 21.08.2023
Published: 23.08.2023
Fine: 70,000 EUR
Parties: n/a
National Case Number/Name: 21.08.2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: ANSPDCP (Romanian) (in RO)
Initial Contributor: n/a

Following a significant data breach, the Romanian DPA investigated controller Uipath SRL and found a breach of Articles 25 and 32 GDPR. The company failed to implement the appropriate technical and organisational security measures, which resulted in a breach of 600,000 users' data. Uipath SRL was fined 346,598 RON (equivalent to €70,000).

English Summary[edit | edit source]

Facts[edit | edit source]

The investigation was initiated after Uipath SRL (the controller) notified the Romanian DPA of a personal data breach which consisted of the of personal data of a significant number of users personal data on a website. As part of the investigation, the Romanian DPA found that Uipath SRL did not implement adequate technical and organisational measures. This failure led to the unauthorised disclosure of and unauthorised access to personal data (user's first and last name, each user's unique identifier, email address, the name of the company where the user is employed, country and details of the level of knowledge obtained in the UiPath ACADEMY courses) of approximately 600,000 users of the Academy Platform belonging to the UiPath operator for a period of approximately 10 days.

Holding[edit | edit source]

The Romanian DPA held that the lack of appropriate technical and organisational security measures constituted a breach of Article 25 GDPR and Article 32 GDPR, this was on the following grounds:

Article 32 GDPR imposes an obligation upon controllers and processors to implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, which in this case was considered high.

Article 25 GDPR also imposes a duty on the controller to incorporate data minimisation and the security obligations outlined in Article 32 GDPR above into the means for processing (data protection by design and default).

Firstly, the Romanian DPA held that this breach of personal data processing was likely to result in physical, material or moral harm to data subjects, such as loss of control over their personal data or loss of confidentiality of personal data, amounting to a high risk to the rights and freedoms of natural persons for the purposes of Article 32 GDPR.

The lack of adequate security measures amounted to a breach of Articles 25 and 32 GDPR, especially in light of the high risks of processing. The Romanian DPA took the following into account:

  • the nature, seriousness and duration of the infringement - affecting 600,000 data subjects (users of the Academy Platform);
  • the technical settings of the storage space allowed unauthorised access to the personal data of the users of the Academy Platform;
  • the incident consisted of the publication of personal data on a third party website, information brought to the knowledge of the controller by a third party;
  • the negligence of the controller; the measures taken by the controller during the investigation by the ANSPDCP to remedy the issues raised; the degree of cooperation with the supervisory authority;
  • the categories of personal data processed (first and last name of the user associated with the Academy Platform account, user name, unique identifier of each user, e-mail address, name of the company where the user is employed, country and details of the level of knowledge obtained in the UiPath ACADEMY courses).

The Romanian DPA imposed a fine under Article 83(2) and (3) GDPR.

As such, Uipath SRL was fined 346,598 RON, equivalent to €70,000. In addition, pursuant to Article 58(2)(d) GDPR, the Supervisory Authority ordered the controller to implement corrective measures to bring its processing operations in compliance with Articles 25 and 32 GDPR, by adopting sufficient organisational and technical security measures.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

In July this year, the National Supervisory Authority for Personal Data Processing completed an investigation at the operator Uipath SRL and found a breach of Articles 25 and 32 of Regulation (EU) 679/2016.

In this case, given that the headquarters of UIPATH SRL is in Romania, the National Supervisory Authority for the Processing of Personal Data acted as the supervisory authority of the controller's headquarters, competent to act as the lead authority for cross-border processing carried out by UiPath SRL in accordance with the procedure laid down in Article 60 of Regulation (EU) 679/2016.

The investigation was initiated following the submission by the controller of a personal data breach notification under the General Data Protection Regulation.

Thus, Uipath SRL notified a personal data breach consisting of the publication of personal data of a significant number of users of the Academy Platform on a website accessible at a URL.

As part of the investigation, the National Supervisory Authority for Personal Data Processing found that Uipath SRL did not implement adequate technical and organisational measures to ensure that, by default, personal data cannot be accessed, without the intervention of the individual, by an unlimited number of persons, including the ability to ensure the continued confidentiality and resilience of the processing systems and services, as well as a process for regular testing, evaluation and assessment of the effectiveness of the technical and organisational measures to ensure the security of the processing.

This led to the unauthorised disclosure of and unauthorised access to personal data (user's first and last name, each user's unique identifier, email address, the name of the company where the user is employed, country and details of the level of knowledge obtained in the UiPath ACADEMY courses) of approximately 600,000 users of the Academy Platform belonging to the UiPath operator for a period of approximately 10 days.

The National Supervisory Authority for Personal Data Processing considered that this breach of personal data processing is likely to result in physical, material or moral harm to data subjects, such as loss of control over their personal data or loss of confidentiality of personal data.

The National Supervisory Authority considered that the circumstances of the case referred to above are of such gravity that a fine should be imposed on the controller. The case was analysed in terms of the criteria for the individualisation of fines set out in Article 83(2) and (3) of the GDPR, in particular those relating to:

    the nature, seriousness and duration of the infringement - affecting 600,000 data subjects (users of the Academy Platform); the technical settings of the storage space allowed unauthorised access to the personal data of the users of the Academy Platform; the incident consisted of the publication of personal data on a third party website, information brought to the knowledge of the controller by a third party;

    the negligence of the controller in this case;

    the measures taken by the controller during the investigation by the ANSPDCP to remedy the issues raised;

    the degree of cooperation with the supervisory authority;

    the categories of personal data processed (first and last name of the user associated with the Academy Platform account, user name, unique identifier of each user, e-mail address, name of the company where the user is employed, country and details of the level of knowledge obtained in the UiPath ACADEMY courses).

Following the investigation, the National Supervisory Authority informed the other supervisory authorities involved, in an informal consultation procedure based on Article 60 of Regulation (EU) 2016/679, of the findings resulting from the investigations carried out in this case with cross-border impact and the proposed measures.

Given that Uipath SRL carried out cross-border processing, the provisions of Article 60 of Regulation (EU) 679/2016, as well as those of Article 16(2) of Regulation (EU) 679/2016, were applied. (3), (5), (6), (7) of Law no. 102/2005, republished, which provide for the application of sanctions/corrective measures by decision of the President of the ANSPDCP, based on the minutes of the finding and the control report.

As such, Uipath SRL was fined 346,598 lei, equivalent to 70,000 EUR.

At the same time, pursuant to Article 58 para. (2) letter d) of Regulation (EU) 2016/679, the Supervisory Authority has ordered the controller to implement a corrective measure to implement a mechanism, applied at regular intervals, for the regular testing, evaluation and assessment of the effectiveness of the measures adopted, taking into account the risk presented by the processing, in order to ensure an adequate level of security and avoid similar security incidents in the future.

 

Legal and Communication Directorate

A.N.S.P.D.C.P.