ANSPDCP (Romania) - Fine against Enel Energie Muntenia SA

From GDPRhub
ANSPDCP - Fine against Enel Energie Muntenia SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 25.08.2022
Fine: 10,000
Parties: Enel Energie Muntensia SA
National Case Number/Name: Fine against Enel Energie Muntenia SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Jette

The Romanian DPA reprimanded Enel Energie Muntenia and fined it €10,000 for sending an email that contained personal data of one of its customers to another customer and failing to inform the DPA about this data breach.

English Summary[edit | edit source]

Facts[edit | edit source]

A customer of Enel Energie Muntenia S.A. (controller) received an email from the controller addressed to another customer (data subject). The email contained files including the data subject's personal information. The customer that received the email filed a complaint with the DPA about this incident, which started an investigation.

The controller didn't explain why one of its employees accidently replied to the wrong customer. Additionally, it didn't demonstrate any corrective measures to stop further unauthorized access or disclosure and did not provide evidence of notification of this incident to the DPA.

Holding[edit | edit source]

The DPA found that the controller did not adopt sufficient security measures under Article 32 GDPR, which led to the unlawful disclosure a customers personal data to another customer. The DPA fined the controller €10,000 for this data breach.

The DPA further noted that the security incident should have been notified within 72 hours from the moment the controller became aware of it under Article 33 GDPR. Thus it issued a warning as the controller failed notify the DPA.

In addition, the DPA ordered the controller to:

  • implement approperate technical and organisational measures, in particular to train it's employees to work GDPR-compliant;
  • contact the complainant to request them to take steps to delete, destroy, as appropriate, personal information to which they had access;
  • adopt internal measures to mitigate the risks to which the data subject's personal data was exposed, to prevent future unlawful disclosure or access to their personal data.

Comment[edit | edit source]

The Romanian DPA rarely published full decisions. This summary is based on a press release of the Romanian DPA.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

22.08.2022

A new penalty for breaching GDPR



In July 2022, the National Supervisory Authority completed an investigation at the operator Enel Energie Muntenia S.A. as a result of which the violation of the provisions of the General Data Protection Regulation (RGPD) was found, the operator being penalized for contravention with a fine and a warning, as follows:

fine in the amount of 49,337 lei (the equivalent of 10,000 euros) for violating the provisions of art. 32 of the GDPR; warning for violating the provisions of art. 33 GDPR

The investigation was started as a result of reports filed by a natural person who reported that, after a telephone request to Enel Energie Muntenia S.A., he received on his e-mail address from contacteem.ro@enel.com a response addressed to another client, a natural person, accompanied by certain documents that could be viewed.

During the investigation, it was noted that the operator Enel Energie Muntenia S.A. did not provide clear information on the reasons why one of its employees mistakenly sent the response to the petitioner to the National Supervisory Authority.

Also, the operator did not provide evidence that it took remedial measures to reduce the risk to which the personal data was exposed and to prevent future illegal disclosure or access to the personal data.

The operator has not provided evidence of notification of this incident to the National Supervisory Authority. Or, considering the circumstances of this case, described above, the security incident should have been notified based on art. 33 of the RGPD, within no more than 72 hours from the date on which the operator Enel Energie Muntenia S.A. became aware of it.

As such, the operator Enel Energie Muntenia S.A. was sanctioned with a fine, since he did not adopt sufficient security measures according to art. 32 of the RGPD, a fact that led to a security incident by sending documents visibly containing the personal data of a targeted person to a third party by e-mail, as well as with a warning because he did not notify the National Authority for Supervision of the Processing of Personal Data.

At the same time, pursuant to art. 58 para. (2) lit. d) of the RGPD, have been ordered towards the operator Enel Energie Muntenia S.A. :

- the corrective measure to ensure compliance with the RGPD of personal data processing operations, by implementing technical and organizational security measures appropriate to the specifics of the processing and the risks identified, throughout the data processing cycle, especially in terms of the training of individuals that processes data under its authority (employees or collaborators), of the regular verification of compliance with the instructions sent to them, of the automation of certain processes to reduce the risks of illegal or unauthorized processing of personal data, as well as the rapid detection, management and reporting of situations of violation of the security of personal data;

- the corrective measure to ensure compliance with the RGPD of personal data processing operations, by contacting the petitioner of the Authority (at his e-mail address) to request him to take measures to delete, destroy, as the case may be, the personal information to which had access following the receipt by email of correspondence addressed to a third party;

- the corrective measure to ensure compliance with the RGPD of personal data processing operations, by adopting internal measures to reduce the risks to which the third party's personal data were exposed, in order to prevent the disclosure or illegal access of the third party's personal data in the future .



Legal and Communication Department

A.N.S.P.D.C.P.