ANSPDCP (Romania) - Fina against NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A. and NN Asigurări de Viață S.A.

From GDPRhub
Revision as of 20:03, 15 May 2023 by Diana (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=Fina against NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A. and NN Asigurări de Viață S.A. |ECLI= |Original_Source_Name_1=ANSPDCP |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_12_05_2023&lang=ro |Original_Source_Language_1=Ro...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fina against NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A. and NN Asigurări de Viață S.A.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 12.05.2023
Fine: 2,500 EUR
Parties: NN Asigurări de Viață S.A.
NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A.
National Case Number/Name: Fina against NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A. and NN Asigurări de Viață S.A.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian authority fined two controllers 1500€, and respectively 1000€ for a data breach caused by insufficient testing of their online application before deployment.

English Summary

Facts

Tow insurance providers owned by the same mother company notified the Romanian Data Protection Authority about a data breach affecting both of them. Both controllers use an application (NN Direct) to facilitate the services offered to their customers. The breach was caused by a software change to the pages that host the NN Direct application which wasn't tested by the controllers before deployment. As result, some users were granted unauthorized access to the personal data of two other users (such as name, personal number, address, email, phone number).

Holding

Following the data breach notification the Romanian authority started two investigations against both controllers and found that none of them implement the technical and organisational measures that would ensure the system security though periodic and documented tests and assuments. As such, both controllers were found in breach of GDPR Articles 32 (1) b), d) and 32 (2). NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A. was fined 1500€, while NN Asigurări de Viață S.A. was fined 1000€. Additionally, both controllers were applied coercitive measure, being required to implement sufficient technical and organisational measures that will enable regular and documented tests of their application.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

12.05.2023

New sanctions



The National Supervisory Authority completed, in April 2023, two investigations of insurance operators.

The investigations were started as a result of data security breach notifications that were sent by NN Pensii Societate de Administrare a une Fond de Pensii Administrat Privat S.A. and NN Asigurări de Viață S.A.

As such, it was found that:

The operator of NN Pensii Societate de Administrate a une Fund de Pensii Administrat Privat S.A. violated the provisions of art. 32 para. (1) lit. b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679 and was fined in the amount of 7,407.00 lei (the equivalent of 1500 euros). The operator NN Asigurări de Viață S.A. violated the provisions of art. 32 para. (1) lit. b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679 and was penalized with a fine of 4,938.00 lei (the equivalent of 1000 euros).

1. As part of the investigation carried out at the operator NN Pensii Societate de Administratre of a Pension Fund Administrat Privat S.A. it was found that he made a series of changes to the configuration of the equipment that ensures the temporary storage of the web pages of the NN Direct application, made available to customers, the option to keep the web pages in its memory being activated. As such, this situation resulted in some users of the operator's application viewing, for a period of time, personal data that did not belong to them.

From the checks carried out, it turned out that this situation led to unauthorized access and the loss of confidentiality of personal data (surname, first name, personal numerical code, address in the identity card, mailing address, e-mail address and telephone number) 2 persons being affected by the incident. It also emerged that, prior to making the NN Direct application available to the public, the device-specific configuration changes that ensure the temporary memory of its web pages were not subjected to an operator-level testing process.

The National Supervisory Authority found that the operator NN Pensii Societate de Administratre of a Pension Fund Administrat Privat S.A. has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including the ability to ensure confidentiality, integrity, continued availability and resilience of processing systems and services and a process for periodic testing, evaluation and assessment of effectiveness technical and organizational measures to guarantee processing security.

At the same time, the operator was ordered and the corrective measure to implement a procedured and promoted test mechanism at regular time intervals through which tests are carried out on the possible configurations of the active applications available to the clients of NN Pensii Societate de Administrate a une Fond by Pensii Administrat Privat S.A., respectively documenting the results by applying remedial measures in order to avoid similar security incidents.

2. As part of an investigation at the operator NN Asigurări de Viață S.A. it was found that he made a series of changes to the configuration of the equipment that ensures the temporary storage of web pages of the NN Direct application, made available to customers, with the option to keep web pages in its memory being activated. Therefore, it was possible for some users of the operator's application to view, for a period of time, personal data that did not belong to them.

As a result of the checks within the investigation, it turned out that this situation led to unauthorized access and the loss of confidentiality of personal data (surname, first name, personal numerical code, address in the identity card, mailing address, e-mail address and phone number). At the same time, it emerged that, before making the NN Direct application available to the public, its changes were not subjected to a testing process by the operator.

The National Supervisory Authority found that the operator NN Asigurări de Viață S.A. has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including the ability to ensure confidentiality, integrity, continued availability and resilience of processing systems and services and a process for periodic testing, evaluation and assessment of effectiveness technical and organizational measures to guarantee processing security.

At the same time, the operator was ordered and the corrective measure to implement a procedured and promoted testing mechanism at regular time intervals, through which tests are carried out on the possible configurations of the active applications available to NN Asigurări de Viață S.A. customers, respectively documenting the results by applying remedial measures to avoid similar security incidents.

Legal and Communication Department

A.N.S.P.D.C.P