ANSPDCP (Romania) - Comunicat Presa 09 12 2022
|ANSPDCP - Comunicat Presa 09 12 2022|
|Relevant Law:||Article 25 GDPR|
Article 32 GDPR
|Parties:||Casa Rusu SRL|
|National Case Number/Name:||Comunicat Presa 09 12 2022|
|European Case Law Identifier:||n/a|
|Original Source:||Romanian DPA (in RO)|
Following the notification of a data breach, which gave unauthorized parties access to bank details, the Romanian DPA investigated a controller, concluded that it was in breach of Article 25 and 32 GDPR based on its lacking security measures, ordered the controller to take corrective measures, and fined the controller 9,883.60 RON (equivalent to €2000).
English Summary[edit | edit source]
Facts[edit | edit source]
Based on a notification of a personal data breach pursuant to Article 33 GDPR by Casa Rusu SRL, a controller, the Romanian DPA started an investigation. During its investigation, the DPA found that the breach was the result of insufficient security measures in the online payments section of the controller's website. The website's data bank stored the bank details of the controller's clients. By using an unauthorized entry in the website's security form, a breach occurred which gave an unauthorized party access to the personal data of the controller's clients and data subjects, namely: the first and last name of bank card holders, their card numbers, the date and year of expiry of the bank cards, and the bank card's CVC code.
The DPA's investigation showed that the controller did not implement adequate technical and organizational measures, both at the time of establishing the means of processing the personal data, and at the time of the processing itself. It also came to light that the controller did not carry out any periodic testing, evaluation, and assessment of the effectiveness of its technical and organizational measures to guarantee the security of processing as required to effectively implement the principles of the GDPR.
Holding[edit | edit source]
As a consequence of the aforementioned investigation, the DPA came to the conclusion that the controller breached a number of GDPR articles.
They found a violation of Article 25 GDPR, the obligation to implement data protection by design and by default, Article 32(1)(b) GDPR, the responsibility "to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services", Article 32(1)(d), the obligation to implement "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing," and Article 32(b) GDPR, the responsibility to take into account "the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed."
As such, under Article 58(2)(d) GDPR, the controller was ordered to take into account the risk assessment for the rights and freedoms of data subjects, to review its technical and organizational security measures, and to implement corrective measures, especially regarding the processes related to electronic communications to avoid similar future incidents of unauthorized disclosure of personal data.
Additionally, pursuant to its powers under Article 58(2)(i), the DPA fined the controller 9,883.60 RON (equivalent to €2000).
Comment[edit | edit source]
This summary is based on a press release. Unfortunately, the Romanian DPA does not publish its decisions in full.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
09.12.2022 Penalty for GDPR violation In November 2022, the National Supervisory Authority completed an investigation at the operator Casa Rusu S.R.L. and found a violation of the provisions of art. 25 para. (1), art. 32 para. (1) lit. b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679. As such, the operator was fined 9,883.60 RON, (equivalent to 2000 EURO). The investigation was started as a result of a data security breach notification that was sent by Casa Rusu S.R.L. based on the provisions of art. 33 of Regulation (EU) 2016/679. Thus, during the investigation, it was found that the violation of the security of data processing occurred as a result of the fact that an unauthorized form was inserted into the online payment section of the website owned by the operator, through which bank data containing customer cards. As a result, it turned out that this breach led to unauthorized access to processed data through unauthorized disclosure and unauthorized access to certain personal data, such as: name and surname of the bank card holder, card number, date and year of expiry, CVC code . It was found that the operator Casa Rusu S.R.L. did not implement adequate technical and organizational measures, both at the time of establishing the processing means and at the time of the processing itself. It also resulted that the operator did not carry out the periodic testing, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the processing in order to effectively implement the principles of data protection. As such, under the provisions of art. 58 para. (2) from Regulation (EU) 2016/679, the operator and the corrective measure were ordered to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the procedures related to electronic communications, thus so as to avoid similar incidents of unauthorized disclosure of processed personal data. Legal and Communication Department A.N.S.P.D.C.P