ANSPDCP (Romania) - 24.10.2023
| ANSPDCP - 24.10.2023 | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 32(2) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 3000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 24.10.2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Romanian |
| Original Source: | Romanian DPA (in RO) |
| Initial Contributor: | maxinescu |
An online trading platform specialized on sale of IT products was sanctioned in relation to a data breach which led to unauthorized disclosure of personal data pertaining to its clients.
English Summary
Facts
The Romanian DPA initiated an investigation following the receiving of a complaint with respect to a data breach occurred on the platform of the controller.
During the investigation, the DPA found that the breach occurred consisted through accessing of a a link which led to public disclosure of a list of various downloadable files which includes invoices and certificates for the products purchased by the clients on the controller’s platform.
Access to such link led to unauthorized disclosure of personal data of the controllers’ clients, both consumers and business entities and included the following data: name, surname, address, e-mail address, invoice number and date, products purchased and their value.
Holding
The Romanian DPA assessed a violation of art 32 (1) (b) and (d) and 32 (2) GDPR, as the controller failed to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk taken, and imposed a fine of 3000 EUR.
Comment
Unfortunately, the Romanian DPA does not publish its full decisions.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
24.10.2023 A new penalty for breaching GDPR In October of the current year, the National Supervisory Authority completed an investigation at the operator Mensajero SRL in which it found a violation of the provisions of art. 32 para. (1) lit. b) and d) in conjunction with art. 32 para. (2) of the General Data Protection Regulation. As such, the operator was fined 14,925.6 lei, the equivalent of 3,000 EURO. The sanction was applied as a result of a notification claiming a possible violation of the security of personal data on the website of the operator Mensajero SRL. During the investigation, it was found that the breach of data processing security occurred by accessing a link that displayed a list of numerous downloadable files that mostly contained invoices and warranty certificates for the products purchased by the operator's customers. This situation led to the unauthorized disclosure of personal data of the operator's customers (natural and legal persons), such as: name, surname, address, e-mail address, no. and invoice date, purchased products and their value. Thus, the operator Mensajero SRL was fined for violating the provisions of art. 32 para. (1) lit. b) and d) in conjunction with art. 32 para. (2) of the General Data Protection Regulation, as it did not implement adequate technical and organizational measures to ensure a level of security corresponding to the processing risk. Legal and Communication Department A.N.S.P.D.C.P.
