ANSPDCP (Romania) - Fine against Condor SA: Difference between revisions

From GDPRhub
m (→‎Holding: alignment of the paragraphs with bullet points)
No edit summary
 
(One intermediate revision by one other user not shown)
Line 53: Line 53:
}}
}}


The Romanian DPA fined a controller approx € 2000 for not implementing the necessary security measures, granting unauthorized access to the personal data of its current and former employees.  
The Romanian DPA issued a fine of approximately €2000 against a controller for not implementing the necessary security measures to avoid unauthorised access to the personal data of its current and former employees, in violation of [[Article 32 GDPR#1|Articles 32(1)]], [[Article 32 GDPR#2|(2)]] and [[Article 32 GDPR#4|(4) GDPR]].  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
During an investigation, the Romanian DPA found that a controller, a parachute and military flight equipment manufacturer, did not implement the necessary security measures which led to unauthorized access to personal data. As result, personal data of current and former employees of the controller such as name, role, salary, bank account, personal number etc. were accessed by an unauthorized person.  
A data subject filed a claim before the Romanian DPA (ANSPDCP) against Condor SA, a parachute and military flight equipment manufacturer, claiming that it had disclosed the personal data (including data on salaries) of its current and former employees to an unauthorised person.  


=== Holding ===
=== Holding ===
The DPA decided that the controller:
The ANSPDCP found that someone had gained unauthorised access to a document containing the personal data of current and former employees, which included, inter alia, name and surname, role, salary, bank account and personal identification number.


* did not prove to have implemented the necessary technical and organisational measures to ensure the confidentiality of its employees' personal data;
The ANSPDCP held that the controller had not implemented the necessary technical and organisational measures to ensure the confidentiality of its current and former employees' personal data, and did not prove to have adequately trained its personnel regarding the protection of personal data. As a result, the ANSPDCP held that the controller had violated [[Article 32 GDPR#1|Articles 32(1)]], [[Article 32 GDPR#2|(2)]] and [[Article 32 GDPR#4|(4) GDPR]], and issued a fine of approximately €2000 (RON 9.897,4).  
* did not prove to have trained its personnel in regards to the protection of personal data.  


As such, the controller was found in breach of GDPR Article 32(1), (2) and (4) and was fined approx € 2000 (RON 9.897,4).
Additionally, the as corrective measures, the ANSPDCP ordered the controller to implement appropriate technical and organisational measures to ensure compliance with GDPR, including the adequate training its personnel, and also to contact the individual who was granted unauthorised access to the personal data to make sure they delete it.  
 
Additionally, the controller was applied the following corrective measures: 
 
* it was required to improve its current technical and organisational measures, including training its personnel
* it was required to contact the person who was granted unauthorized access to the personal data to make sure they will delete or destroy the personal data.


== Comment ==
== Comment ==

Latest revision as of 15:20, 30 March 2022

ANSPDCP (Romania) - Fine against Condor SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 28.03.2022
Fine: 2000 EUR
Parties: Condor SA
National Case Number/Name: Fine against Condor SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA issued a fine of approximately €2000 against a controller for not implementing the necessary security measures to avoid unauthorised access to the personal data of its current and former employees, in violation of Articles 32(1), (2) and (4) GDPR.

English Summary

Facts

A data subject filed a claim before the Romanian DPA (ANSPDCP) against Condor SA, a parachute and military flight equipment manufacturer, claiming that it had disclosed the personal data (including data on salaries) of its current and former employees to an unauthorised person.

Holding

The ANSPDCP found that someone had gained unauthorised access to a document containing the personal data of current and former employees, which included, inter alia, name and surname, role, salary, bank account and personal identification number.

The ANSPDCP held that the controller had not implemented the necessary technical and organisational measures to ensure the confidentiality of its current and former employees' personal data, and did not prove to have adequately trained its personnel regarding the protection of personal data. As a result, the ANSPDCP held that the controller had violated Articles 32(1), (2) and (4) GDPR, and issued a fine of approximately €2000 (RON 9.897,4).

Additionally, the as corrective measures, the ANSPDCP ordered the controller to implement appropriate technical and organisational measures to ensure compliance with GDPR, including the adequate training its personnel, and also to contact the individual who was granted unauthorised access to the personal data to make sure they delete it.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

28.03.2022

Sanction for violating the RGPD



The National Supervisory Authority completed in March 2022 an investigation at the operator Condor SA and found the violation of the provisions of art. 32 para. (1), (2) and (4) of the General Data Protection Regulation.

As such, the operator was sanctioned with a fine of 9,897.4 lei (equivalent to 2,000 EURO).

The investigation was initiated as a result of a complaint alleging that the operator Condor SA disclosed personal data of a salary nature of the employees or former employees of this operator to unauthorized persons.

In the investigation, it was found that there was unauthorized access to some unspoken documents containing a number of personal data of employees or former employees, such as: place of work, name, surname, position, salary, amount for advance, bank account, personal numeric codes.

Consequently, the National Supervisory Authority found that the operator Condor SA did not present evidence showing that it had adopted sufficient appropriate technical and organizational measures to ensure the confidentiality of the processed personal data of employees or its former employees. At the same time, it was noted that the operator did not present any evidence showing the training of data controllers under his authority, which led to unauthorized access to documents. Thus, the provisions of art. 32 para. (1), (2), (4) of the General Data Protection Regulation.

At the same time, during the investigation, two corrective measures were applied to the operator, as follows:

the corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations, by implementing appropriate technical and organizational measures, including the training of data controllers under its authority; corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations by contacting the person who had unauthorized access to that personal data, with a view to deleting or destroying it, as appropriate.



Legal and Communication Department

A.N.S.P.D.C.P.