ANSPDCP (Romania) - Fine against Bitfactor SRL

From GDPRhub
Revision as of 08:12, 6 October 2022 by Kv (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against Bitfactor SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 25(1) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 22.09.2022
Fine: 2000 EUR
Parties: Bitfactor SRL
National Case Number/Name: Fine against Bitfactor SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined Bitfactor SRL €2,000 after a data breach affecting 1757 users of its website for the lack of adequate technical and organisational measures, both at the time of determining the means for processing and at the time of the processing itself.

English Summary[edit | edit source]

Facts[edit | edit source]

An application of Bitfactor (the controller) that sent marketing communications to users of its website malfunctioned. This resulted in a data breach affecting 1757 users of the controller's website (the data subjects). The press release does not indicate which personal data was involved and what happened to it, other than that it was a 'breach of confidentiality.'

The controller notified the Romanian DPA of the data breach. Following the notification, the DPA started an investigation.

Holding[edit | edit source]

The DPA found that the controller lacked adequate technical and organisational measures that would ensure personal data is protected, both at the time of determining the means for processing and at the time of the processing itself.

The DPA followed that the controller had the obligation to respect the principle of integrity and confidentiality as laid down in Article 5(1)(f) GDPR. In this context, the DPA referred to Article 25(1) GDPR (data protection by design) and Recital 78 GDPR.

As a result, the controller was found in breach of Articles 25(1), 32(1)(b), (d) and 32(2) GDPR and was fined approximately €2,000 (9,852.8 RON).

Comment[edit | edit source]

The Romanian DPA only publishes press releases. This summary is based on their press release.

The press release did not further elaborate the technical and organisational measures that the controller had implemented and why they were insufficient.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

22.09.2022

A new penalty for breaching GDPR



In August 2022, the National Supervisory Authority completed an investigation at the Bitfactor SRL operator and found a violation of the provisions of art. 25 para. (1) and art. 32 para. (1) and para. (2) of the General Data Protection Regulation.

The operator Bitfactor SRL was fined 9,852.8 lei (the equivalent of 2000 EURO) for contravention.

The investigation was started as a result of the transmission by the operator of a notification of a breach of the security of personal data under the General Data Protection Regulation.

The data breach occurred as a result of the malfunctioning of an application of the operator that sent marketing communications to users of its website, which led to a breach of the privacy of the personal data of a number of 1757 data subjects, users of the website of the operator.

During the investigation, it was found that the operator did not implement adequate technical and organizational measures, which would continuously protect the personal data of the persons concerned, both at the time of establishing the means of processing, and at the time of the processing itself, intended to put in effectively apply the principles of data protection and integrate the necessary guarantees within the processing, although, according to art. 5 lit. f) from the General Data Protection Regulation, the operator had the obligation to respect the principle of integrity and confidentiality.

In this context, we emphasize that art. 25 para. (1) of the General Regulation on Data Protection, states that "the operator, both at the time of establishing the means of processing, and at the time of the processing itself, implements appropriate technical and organizational measures, such as pseudonymization, which are intended to effectively implement data protection principles, such as data minimization, and integrate the necessary safeguards into the processing, to meet the requirements of this regulation and protect the rights of data subjects."

Also, recital (78) of the General Data Protection Regulation establishes that "the operator should adopt internal policies and implement measures that respect in particular the principle of data protection from the moment of conception and that of implicit data protection."

As such, the operator Bitfactor SRL was fined 9,852.8 lei (the equivalent of 2000 EURO) for violating the provisions of art. 25 para. (1) and art. 32 para. (1) lit. b), d) and para. (2) of the General Data Protection Regulation.

Legal and Communication Department

A.N.S.P.D.C.P.