ANSPDCP (Romania) - Fine against Condor SA

From GDPRhub
Revision as of 20:33, 28 March 2022 by DianaR (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP (Romania) - Fine against Condor SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 28.03.2022
Fine: 2000 EUR
Parties: Condor SA
National Case Number/Name: Fine against Condor SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a controller approx € 2000 for not implementing the necessary security measures, granting unauthorized access to the personal data of its current and former employees.

English Summary

Facts

During an investigation, the Romanian DPA found that a controller, a parachute and military flight equipment manufacturer, did not implement the necessary security measures which led to unauthorized access to personal data. As result, personal data of current and former employees of the controller such as name, role, salary, bank account, personal number etc. were accessed by an unauthorized person.

Holding

The DPA decided that the controller: - did not prove to have implemented the necessary technical and organisational measures to ensure the confidentiality of its employees' personal data; - did not prove to have trained its personnel in regards to the protection of personal data.

As such, the controller was found in breach of GDPR Article 32(1), (2) and (4) and was fined approx € 2000 (RON 9.897,4).

Additionally, the controller was applied the following corrective measures: - it was required to improve its current technical and organisational measures, including training its personnel; - it was required to contact the person who was granted unauthorized access to the personal data to make sure they will delete or destroy the personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

28.03.2022

Sanction for violating the RGPD



The National Supervisory Authority completed in March 2022 an investigation at the operator Condor SA and found the violation of the provisions of art. 32 para. (1), (2) and (4) of the General Data Protection Regulation.

As such, the operator was sanctioned with a fine of 9,897.4 lei (equivalent to 2,000 EURO).

The investigation was initiated as a result of a complaint alleging that the operator Condor SA disclosed personal data of a salary nature of the employees or former employees of this operator to unauthorized persons.

In the investigation, it was found that there was unauthorized access to some unspoken documents containing a number of personal data of employees or former employees, such as: place of work, name, surname, position, salary, amount for advance, bank account, personal numeric codes.

Consequently, the National Supervisory Authority found that the operator Condor SA did not present evidence showing that it had adopted sufficient appropriate technical and organizational measures to ensure the confidentiality of the processed personal data of employees or its former employees. At the same time, it was noted that the operator did not present any evidence showing the training of data controllers under his authority, which led to unauthorized access to documents. Thus, the provisions of art. 32 para. (1), (2), (4) of the General Data Protection Regulation.

At the same time, during the investigation, two corrective measures were applied to the operator, as follows:

the corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations, by implementing appropriate technical and organizational measures, including the training of data controllers under its authority; corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations by contacting the person who had unauthorized access to that personal data, with a view to deleting or destroying it, as appropriate.



Legal and Communication Department

A.N.S.P.D.C.P.