ANSPDCP (Romania) - Fine against Condor SA

From GDPRhub
ANSPDCP (Romania) - Fine against Condor SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 28.03.2022
Fine: 2000 EUR
Parties: Condor SA
National Case Number/Name: Fine against Condor SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA issued a fine of approximately €2000 against a controller for not implementing the necessary security measures to avoid unauthorised access to the personal data of its current and former employees, in violation of Articles 32(1), (2) and (4) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a claim before the Romanian DPA (ANSPDCP) against Condor SA, a parachute and military flight equipment manufacturer, claiming that it had disclosed the personal data (including data on salaries) of its current and former employees to an unauthorised person.

Holding[edit | edit source]

The ANSPDCP found that someone had gained unauthorised access to a document containing the personal data of current and former employees, which included, inter alia, name and surname, role, salary, bank account and personal identification number.

The ANSPDCP held that the controller had not implemented the necessary technical and organisational measures to ensure the confidentiality of its current and former employees' personal data, and did not prove to have adequately trained its personnel regarding the protection of personal data. As a result, the ANSPDCP held that the controller had violated Articles 32(1), (2) and (4) GDPR, and issued a fine of approximately €2000 (RON 9.897,4).

Additionally, the as corrective measures, the ANSPDCP ordered the controller to implement appropriate technical and organisational measures to ensure compliance with GDPR, including the adequate training its personnel, and also to contact the individual who was granted unauthorised access to the personal data to make sure they delete it.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

28.03.2022

Sanction for violating the RGPD



The National Supervisory Authority completed in March 2022 an investigation at the operator Condor SA and found the violation of the provisions of art. 32 para. (1), (2) and (4) of the General Data Protection Regulation.

As such, the operator was sanctioned with a fine of 9,897.4 lei (equivalent to 2,000 EURO).

The investigation was initiated as a result of a complaint alleging that the operator Condor SA disclosed personal data of a salary nature of the employees or former employees of this operator to unauthorized persons.

In the investigation, it was found that there was unauthorized access to some unspoken documents containing a number of personal data of employees or former employees, such as: place of work, name, surname, position, salary, amount for advance, bank account, personal numeric codes.

Consequently, the National Supervisory Authority found that the operator Condor SA did not present evidence showing that it had adopted sufficient appropriate technical and organizational measures to ensure the confidentiality of the processed personal data of employees or its former employees. At the same time, it was noted that the operator did not present any evidence showing the training of data controllers under his authority, which led to unauthorized access to documents. Thus, the provisions of art. 32 para. (1), (2), (4) of the General Data Protection Regulation.

At the same time, during the investigation, two corrective measures were applied to the operator, as follows:

the corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations, by implementing appropriate technical and organizational measures, including the training of data controllers under its authority; corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations by contacting the person who had unauthorized access to that personal data, with a view to deleting or destroying it, as appropriate.



Legal and Communication Department

A.N.S.P.D.C.P.