ANSPDCP (Romania) - Fine against Actamedica SRL

From GDPRhub
ANSPDCP (Romania) - Fine against Actamedica SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 12(3) GDPR
Article 15(1) GDPR
Article 28 GDPR
Article 32 GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Decided:
Published: 24.08.2021
Fine: 3000 EUR
Parties: Actamedica SRL
National Case Number/Name: Fine against Actamedica SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a controller approximately €3000 (RON 9836.60) for failing to implement appropriate technical and organisational measures which lead to the disclosure of the complainant's biological samples. The controller also failed to notify the DPA of the incident and answer the complainant's request regarding details on the disclosure.

English Summary[edit | edit source]

Facts[edit | edit source]

After a complaint from a data subject, the Romanian DPA started an investigation against the controller Actamedica SRL. The investigation found that the controller, a medical centre, has previously informed the data subject about losing their biological samples and a sum of money sent by a courier. When the data subject sent a request asking which other personal data has been exposed and if the national DPA had been notified, the controller suggested that the data subject contact the company lawyer and address any other complaints with the courier company.

Holding[edit | edit source]

During the investigation, the DPA found that the controller did not take sufficient security measures appropriate to the risk of processing. This lead to a security incident, in breach of Article 28(1) and 32 GDPR, for which the controller was fined RON 9,836.6 (approximately €2,000).

Additionally, the DPA found that it had not been notified with regards to the security incident, in breach of Article 33 GDPR, for which the controller was fined RON 4,918.3 (approximately €1,000).

Furthermore, the DPA found that the controller did not respond to the data subject's request asking which other personal data has been exposed, in breach of Article 12(3) and 15(1) GDPR, for which the controller has been given a warning.

Finally, the Romanian DPA applied two corrective measures on the controller, asking it to implement appropriate security measures and to answer the data subject request.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.






24.08.2021 & # 13;
Sanction for violating RGPD & # 13;
& # 13;
The National Supervisory Authority completed in August 2021 an investigation at the operator Actamedica SRL and found a violation of the provisions of art. 12 para. (3), art. 15 para. (1), art. 28 para. (1), art. 32 and art. 33 of the General Data Protection Regulation. & # 13;
As such, the operator Actamedica SRL was sanctioned for minor offenses: & # 13;
& # 13;
 with a fine in the amount of 9836.6 lei (equivalent to 2,000 EURO), for violating art. 28 para. (1) and art. 32 of the General Data Protection Regulation; & # 13;
 with a fine in the amount of 4918.3 lei (equivalent to 1,000 EURO) for violating art. 33 of the General Data Protection Regulation; & # 13;
 with warning, for violating the provisions of art. 12 para. (3) and art. 15 para. (1) of the General Data Protection Regulation. & # 13;
& # 13;
The investigation was initiated following the receipt of a complaint alleging that Actamedica SRL from Târgu-Mureș sent an information to an individual regarding the loss of his biological samples and a sum of money sent through a courier company, the package reaches the recipient damaged. Upon request to be informed what personal data were exposed to him on this occasion and if ANSPDCP was notified in connection with this incident, in the reply sent the operator indicated to the natural person the contact details of the company's lawyer and an e-mail address. from the courier company to which to express their "wishes". & # 13;
During the investigation launched, the National Supervisory Authority found that Actamedica SRL did not adopt sufficient security measures, according to art. 28 para. (1) and 32 of the RGPD, adapted to the nature of the personal data that were subjected to processing, which led to a security incident. In this context, it was found that the provisions of art. 28 para. (1) and art. 32 of the General Data Protection Regulation. & # 13;
Also, the National Supervisory Authority found that the operator did not notify the National Supervisory Authority of the above-mentioned security incident, thus violating the provisions of art. 33 of the General Data Protection Regulation. & # 13;
On the same occasion, the National Supervisory Authority noted that Actamedica SRL did not present evidence showing that it communicated a response to the postal address of the individual concerned regarding the categories of personal data that were exposed to him during the incident. respectively, related to the express request sent. Therefore, it was found that the provisions of art. 12 para. (3) and 15 para. (1) of the General Data Protection Regulation. & # 13;
The following corrective measures were also applied to the operator: & # 13;
& # 13;
 corrective action to ensure compliance of the General Data Protection Regulation with personal data processing operations, by implementing technical and organizational security measures appropriate to the specifics of the processing and the risks identified, throughout the data processing cycle, including the selection of empowered persons to provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing complies with the requirements of the Regulation and ensures the protection of the rights of data subjects; & # 13;
 the corrective measure to respond to the request of the data subject, regarding the categories of personal data concerned by the occurrence of the security incident, following to communicate the answer to the postal address indicated in the request. & # 13;
& # 13;
& # 13;
Legal and Communication Department & # 13;
A.N.S.P.D.C.P.