ANSPDCP (Romania) - Fine against Bitfactor SRL: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
 
No edit summary
 
(3 intermediate revisions by one other user not shown)
Line 67: Line 67:
}}
}}


The Romanian DPA fined a controller approximately EUR 2,000 over the lack of adequate technical and organisational measures that would protect personal data both at rest and in transit, which led to a data breach affecting 1757 data subjects.  
The Romanian DPA fined Bitfactor SRL €2,000 after a data breach affecting 1757 users of its website for the lack of adequate technical and organisational measures, both at the time of determining the means for processing and at the time of the processing itself.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A data controller had a data breach due to technical malfunctions of its service used for marketing communications, affecting the personal data of 2757 data subjects (users of the controller's website).  
An application of Bitfactor (the controller) that sent marketing communications to users of its website malfunctioned. This resulted in a data breach affecting 1757 users of the controller's website (the data subjects). The press release does not indicate which personal data was involved and what happened to it, other than that it was a 'breach of confidentiality.'


The controller notified the incident to the Romanian Authority.  
The controller notified the Romanian DPA of the data breach. Following the notification, the DPA started an investigation.  


=== Holding ===
=== Holding ===
Following the notification, the Romanian DPA started an investigation of the controller and identified a lack of adequate technical and organisational measures that will ensure personal data is protected both in transit and at rest. As a result, the controller was found in breach of GDPR Articles 25(1), 32(1)b, d and 32(2) and was fined approximately EUR 2,000 (RON 9,852.8).
The DPA found that the controller lacked adequate technical and organisational measures that would ensure personal data is protected, both at the time of determining the means for processing and at the time of the processing itself.
 
The DPA followed that the controller had the obligation to respect the principle of integrity and confidentiality as laid down in [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. In this context, the DPA referred to [[Article 25 GDPR#1|Article 25(1) GDPR]] (data protection by design) and Recital 78 GDPR.
 
As a result, the controller was found in breach of [[Article 25 GDPR#1|Articles 25(1)]], [[Article 32 GDPR#1|32(1)(b), (d)]] and [[Article 32 GDPR#2|32(2) GDPR]] and was fined approximately €2,000 (9,852.8 RON).


== Comment ==
== Comment ==
''Share your comments here!''
''The Romanian DPA only publishes press releases. This summary is based on their press release.''
 
''The press release did not further elaborate the technical and organisational measures that the controller had implemented and why they were insufficient.''


== Further Resources ==
== Further Resources ==

Latest revision as of 08:12, 6 October 2022

ANSPDCP - Fine against Bitfactor SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 25(1) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 22.09.2022
Fine: 2000 EUR
Parties: Bitfactor SRL
National Case Number/Name: Fine against Bitfactor SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined Bitfactor SRL €2,000 after a data breach affecting 1757 users of its website for the lack of adequate technical and organisational measures, both at the time of determining the means for processing and at the time of the processing itself.

English Summary

Facts

An application of Bitfactor (the controller) that sent marketing communications to users of its website malfunctioned. This resulted in a data breach affecting 1757 users of the controller's website (the data subjects). The press release does not indicate which personal data was involved and what happened to it, other than that it was a 'breach of confidentiality.'

The controller notified the Romanian DPA of the data breach. Following the notification, the DPA started an investigation.

Holding

The DPA found that the controller lacked adequate technical and organisational measures that would ensure personal data is protected, both at the time of determining the means for processing and at the time of the processing itself.

The DPA followed that the controller had the obligation to respect the principle of integrity and confidentiality as laid down in Article 5(1)(f) GDPR. In this context, the DPA referred to Article 25(1) GDPR (data protection by design) and Recital 78 GDPR.

As a result, the controller was found in breach of Articles 25(1), 32(1)(b), (d) and 32(2) GDPR and was fined approximately €2,000 (9,852.8 RON).

Comment

The Romanian DPA only publishes press releases. This summary is based on their press release.

The press release did not further elaborate the technical and organisational measures that the controller had implemented and why they were insufficient.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

22.09.2022

A new penalty for breaching GDPR



In August 2022, the National Supervisory Authority completed an investigation at the Bitfactor SRL operator and found a violation of the provisions of art. 25 para. (1) and art. 32 para. (1) and para. (2) of the General Data Protection Regulation.

The operator Bitfactor SRL was fined 9,852.8 lei (the equivalent of 2000 EURO) for contravention.

The investigation was started as a result of the transmission by the operator of a notification of a breach of the security of personal data under the General Data Protection Regulation.

The data breach occurred as a result of the malfunctioning of an application of the operator that sent marketing communications to users of its website, which led to a breach of the privacy of the personal data of a number of 1757 data subjects, users of the website of the operator.

During the investigation, it was found that the operator did not implement adequate technical and organizational measures, which would continuously protect the personal data of the persons concerned, both at the time of establishing the means of processing, and at the time of the processing itself, intended to put in effectively apply the principles of data protection and integrate the necessary guarantees within the processing, although, according to art. 5 lit. f) from the General Data Protection Regulation, the operator had the obligation to respect the principle of integrity and confidentiality.

In this context, we emphasize that art. 25 para. (1) of the General Regulation on Data Protection, states that "the operator, both at the time of establishing the means of processing, and at the time of the processing itself, implements appropriate technical and organizational measures, such as pseudonymization, which are intended to effectively implement data protection principles, such as data minimization, and integrate the necessary safeguards into the processing, to meet the requirements of this regulation and protect the rights of data subjects."

Also, recital (78) of the General Data Protection Regulation establishes that "the operator should adopt internal policies and implement measures that respect in particular the principle of data protection from the moment of conception and that of implicit data protection."

As such, the operator Bitfactor SRL was fined 9,852.8 lei (the equivalent of 2000 EURO) for violating the provisions of art. 25 para. (1) and art. 32 para. (1) lit. b), d) and para. (2) of the General Data Protection Regulation.

Legal and Communication Department

A.N.S.P.D.C.P.