ANSPDCP (Romania) - Fine against Rețele Electrice Muntenia SA and Rețele Electrice Dobrogea SA
ANSPDCP - Fine against Rețele Electrice Muntenia SA and Rețele Electrice Dobrogea SA | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 32(1) GDPR Article 32(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 25.06.2024 |
Fine: | 19,904 RON |
Parties: | Rețele Electrice Muntenia SA Rețele Electrice Dobrogea SA |
National Case Number/Name: | Fine against Rețele Electrice Muntenia SA and Rețele Electrice Dobrogea SA |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | naadiya.z |
The DPA imposed a €4,000 fine (RON 19,904) on two electricity providers for failing to implement adequate measures to prevent users from accessing personal data of other customers while logged into the controller’s website.
English Summary
Facts
A data subject logged into his account on the joint website of Rețele Electrice Muntenia SA and Rețele Electrice Dobrogea SA (‘controllers’) and was able to view the personal data of other customers of the controllers (name, surname, address, personal numerical code). The data subject lodged a complaint against the controllers with the Romanian DPA (‘ANSPDCP’).
Holding
Article 32(1) GDPR establishes that the controller must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Article 32(2) GDPR indicates that when assessing the appropriate level of security, the risks that are presented by processing must be taken into account, in particular the unauthorized disclosure of the personal data.
The ANSPDCP found that, in the present case, the controllers did not implement adequate technical and organisational measures in order to ensure a level of security appropriate to the processing risk, which led to unauthorized access by a third party to the personal data of other customers. The DPA held that this violated Article 32(1) and 32(2) GDPR.
Therefore, the DPA imposed a €3,000 (RON14,298) fine on Rețele Electrice Muntenia SA and a €1,000 (RON 4,976 lei) fine on Rețele Electrice Dobrogea SA. The DPA also ordered the controllers to implement periodic tests on their website.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
25.06.2024 Penalty for GDPR violation The National Supervisory Authority completed two investigations at the operators of Rețele Electrice Muntenia SA and Rețele Electrice Dobrogea SA, during which it found a violation of the provisions of art. 32 para. (1) lit. b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679. As such, the operators were penalized with a fine for violating the aforementioned provisions, as follows: - Rețele Electrice Muntenia SA - fine in the amount of 14,928.60 lei (the equivalent of 3000 EURO); - Rețele Electrice Dobrogea SA - fine in the amount of 4,976.20 lei (the equivalent of 1000 EURO). The investigations were started as a result of reports that indicated that a user connected to his account on the common website of the two operators, www.e.distributie.com, could view the personal data of other customers of the operators. At the same time, the operators of Rețele Electrice Muntenia SA and Rețele Electrice Dobrogea SA sent our institution data security breach notifications regarding the reported issues. During the investigations carried out, it was found that the operators did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk, including the ability to ensure the confidentiality of processing systems and services, which led to the unauthorized access of a third party to the personal data (surname, surname, street, city, personal numerical code) of some customers of the operators, thus violating the provisions of art. 32 para. (1) lit. b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679. At the same time, under the provisions of art. 58 para. (2) of Regulation (EU) 2016/679, it was decided for the operators Rețele Electrice Dobrogea SA and Rețele Electrice Muntenia SA and the corrective measure to implement periodic testing for the online services offered to customers on the new web portal owned by these operators. Legal and Communication Department A.N.S.P.D.C.P