ANSPDCP (Romania) - Fine against Condor SA
| ANSPDCP (Romania) - Fine against Condor SA | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1) GDPR Article 32(2) GDPR Article 32(4) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 28.03.2022 |
| Fine: | 2000 EUR |
| Parties: | Condor SA |
| National Case Number/Name: | Fine against Condor SA |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | Diana Rosu |
The Romanian DPA issued a fine of approximately €2000 against a controller for not implementing the necessary security measures to avoid unauthorised access to the personal data of its current and former employees, in violation of Articles 32(1), (2) and (4) GDPR.
English Summary
Facts
A data subject filed a claim before the Romanian DPA (ANSPDCP) against Condor SA, a parachute and military flight equipment manufacturer, claiming that it had disclosed the personal data (including data on salaries) of its current and former employees to an unauthorised person.
Holding
The ANSPDCP found that someone had gained unauthorised access to a document containing the personal data of current and former employees, which included, inter alia, name and surname, role, salary, bank account and personal identification number.
The ANSPDCP held that the controller had not implemented the necessary technical and organisational measures to ensure the confidentiality of its current and former employees' personal data, and did not prove to have adequately trained its personnel regarding the protection of personal data. As a result, the ANSPDCP held that the controller had violated Articles 32(1), (2) and (4) GDPR, and issued a fine of approximately €2000 (RON 9.897,4).
Additionally, the as corrective measures, the ANSPDCP ordered the controller to implement appropriate technical and organisational measures to ensure compliance with GDPR, including the adequate training its personnel, and also to contact the individual who was granted unauthorised access to the personal data to make sure they delete it.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
28.03.2022 Sanction for violating the RGPD The National Supervisory Authority completed in March 2022 an investigation at the operator Condor SA and found the violation of the provisions of art. 32 para. (1), (2) and (4) of the General Data Protection Regulation. As such, the operator was sanctioned with a fine of 9,897.4 lei (equivalent to 2,000 EURO). The investigation was initiated as a result of a complaint alleging that the operator Condor SA disclosed personal data of a salary nature of the employees or former employees of this operator to unauthorized persons. In the investigation, it was found that there was unauthorized access to some unspoken documents containing a number of personal data of employees or former employees, such as: place of work, name, surname, position, salary, amount for advance, bank account, personal numeric codes. Consequently, the National Supervisory Authority found that the operator Condor SA did not present evidence showing that it had adopted sufficient appropriate technical and organizational measures to ensure the confidentiality of the processed personal data of employees or its former employees. At the same time, it was noted that the operator did not present any evidence showing the training of data controllers under his authority, which led to unauthorized access to documents. Thus, the provisions of art. 32 para. (1), (2), (4) of the General Data Protection Regulation. At the same time, during the investigation, two corrective measures were applied to the operator, as follows: the corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations, by implementing appropriate technical and organizational measures, including the training of data controllers under its authority; corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations by contacting the person who had unauthorized access to that personal data, with a view to deleting or destroying it, as appropriate. Legal and Communication Department A.N.S.P.D.C.P.
