ANSPDCP (Romania) - Fine against Curtea Veche Publishing SRL

From GDPRhub
Revision as of 18:51, 26 September 2022 by DianaR (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against Curtea Veche Publishing SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(c) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 21.09.2022
Fine: 5000 EUR
Parties: Curtea Veche Publishing SRL
National Case Number/Name: Fine against Curtea Veche Publishing SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a publisher EUR 5,000 over the lack of adequate technical and organisational measures which led to 2 data breaches that affected a total number of approximately 10839 data subjects.

English Summary

Facts

A Romanian publisher had a data breach that allowed one of its client databases to be made publicly available on an online forum. The database included the name, phone number, email address, encrypted passwords and IP addresses corresponding to 10.739 data subjects that were the publisher's clients between 2019-2021.

The same publisher had a second data breach that occurred due to a ransomware attak. The incident granted unauthorised access to some personal data belonging to approximately 100 data subjects (the publisher's employees and partners).

Following the two data breaches, the publisher notified the Romanian Authority.

Holding

After the notification, the Romanian DPA started an investigation of the publisher and found that the publisher did not implement adequate technical and organisational measures appropriate to the risk of processing, in breach of GDPR Artcile 32(1)b, c and 32(2). The publisher was therefore fined approximately EUR 5,000 (RON 24,566). Additionally, the Authority applied the coercive measure of requiring the publisher to review and update its technical and organisational measures, and to include supplementary information security measures over the personal data processed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details. 

21.09.2022

Penalty for GDPR violation



In August 2022, the National Supervisory Authority completed an investigation at the operator Curtea Veche Publishing SRL and found a violation of the provisions of art. 32 para. (1) lit. b) and c) and para. (2) of the General Data Protection Regulation.

The operator was penalized for contravention with a fine of 24,566 lei (equivalent to 5000 EURO).

The investigation was started as a result of the transmission by the operator of some notifications of personal data security violations under the General Data Protection Regulation.

One of the data security breaches occurred as a result of the posting on a public forum of a file containing the operator's customer database from 2019 to 2021.

This situation led to the unauthorized disclosure of certain personal data, such as name, surname, telephone number, e-mail, password in encrypted form, IP address from which the user account was created, of a number of 10739 customers of the operator.

The second data security breach occurred as a result of a ransomware attack, which led to unauthorized access and loss of integrity and availability of certain personal data of approx. 100 data subjects (employees and collaborators of Curtea Veche Publishing SRL).

During the investigation, the National Supervisory Authority found that the operator did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk for the rights and freedoms of natural persons.

As such, the operator Curtea Veche Publishing SRL was fined 24,566 lei (the equivalent of 5000 EURO) for violating the provisions of art. 32 para. (1) lit. b) and c) and para. (2) of the General Data Protection Regulation.

At the same time, the operator was also given the corrective measure to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals and the work procedures related to the protection of personal data, including through the implementation of additional IT solutions data security.



Legal and Communication Department

A.N.S.P.D.C.P.
Retrieved from "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Curtea_Veche_Publishing_SRL&oldid=28257"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki