ANSPDCP (Romania) - Fine against Bitfactor SRL
|ANSPDCP - Fine against Bitfactor SRL|
|Relevant Law:||Article 25(1) GDPR|
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
|National Case Number/Name:||Fine against Bitfactor SRL|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
|Initial Contributor:||Diana Rosu|
The Romanian DPA fined Bitfactor SRL €2,000 after a data breach affecting 1757 users of its website for the lack of adequate technical and organisational measures, both at the time of determining the means for processing and at the time of the processing itself.
English Summary[edit | edit source]
Facts[edit | edit source]
An application of Bitfactor (the controller) that sent marketing communications to users of its website malfunctioned. This resulted in a data breach affecting 1757 users of the controller's website (the data subjects). The press release does not indicate which personal data was involved and what happened to it, other than that it was a 'breach of confidentiality.'
The controller notified the Romanian DPA of the data breach. Following the notification, the DPA started an investigation.
Holding[edit | edit source]
The DPA found that the controller lacked adequate technical and organisational measures that would ensure personal data is protected, both at the time of determining the means for processing and at the time of the processing itself.
The DPA followed that the controller had the obligation to respect the principle of integrity and confidentiality as laid down in Article 5(1)(f) GDPR. In this context, the DPA referred to Article 25(1) GDPR (data protection by design) and Recital 78 GDPR.
Comment[edit | edit source]
The Romanian DPA only publishes press releases. This summary is based on their press release.
The press release did not further elaborate the technical and organisational measures that the controller had implemented and why they were insufficient.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
22.09.2022 A new penalty for breaching GDPR In August 2022, the National Supervisory Authority completed an investigation at the Bitfactor SRL operator and found a violation of the provisions of art. 25 para. (1) and art. 32 para. (1) and para. (2) of the General Data Protection Regulation. The operator Bitfactor SRL was fined 9,852.8 lei (the equivalent of 2000 EURO) for contravention. The investigation was started as a result of the transmission by the operator of a notification of a breach of the security of personal data under the General Data Protection Regulation. The data breach occurred as a result of the malfunctioning of an application of the operator that sent marketing communications to users of its website, which led to a breach of the privacy of the personal data of a number of 1757 data subjects, users of the website of the operator. During the investigation, it was found that the operator did not implement adequate technical and organizational measures, which would continuously protect the personal data of the persons concerned, both at the time of establishing the means of processing, and at the time of the processing itself, intended to put in effectively apply the principles of data protection and integrate the necessary guarantees within the processing, although, according to art. 5 lit. f) from the General Data Protection Regulation, the operator had the obligation to respect the principle of integrity and confidentiality. In this context, we emphasize that art. 25 para. (1) of the General Regulation on Data Protection, states that "the operator, both at the time of establishing the means of processing, and at the time of the processing itself, implements appropriate technical and organizational measures, such as pseudonymization, which are intended to effectively implement data protection principles, such as data minimization, and integrate the necessary safeguards into the processing, to meet the requirements of this regulation and protect the rights of data subjects." Also, recital (78) of the General Data Protection Regulation establishes that "the operator should adopt internal policies and implement measures that respect in particular the principle of data protection from the moment of conception and that of implicit data protection." As such, the operator Bitfactor SRL was fined 9,852.8 lei (the equivalent of 2000 EURO) for violating the provisions of art. 25 para. (1) and art. 32 para. (1) lit. b), d) and para. (2) of the General Data Protection Regulation. Legal and Communication Department A.N.S.P.D.C.P.