ANSPDCP (Romania) - Fine against S.P.E.E.H. Hidroelectrica S.A.

From GDPRhub
ANSPDCP (Romania) - Fine against S.P.E.E.H. Hidroelectrica S.A.
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 01.10.2021
Published: 01.11.2021
Fine: 5000 EUR
Parties: S.P.E.E.H. Hidroelectrica S.A.
National Case Number/Name: Fine against S.P.E.E.H. Hidroelectrica S.A.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a controller approx €5.000, issued a warning and applied two corrective measures, as sanctions for a data breach and for processing personal data without a legal base, in breach of Article 32(1)(b), Article 32(2), Article 5(1)(a), and Article 6(1) GDPR.

English Summary


Following a data breach, the controller S.P.E.E.H. Hidroelectrica S.A. (a supplier of hydroelectricity) erroneously sent the personal data of 325 data subjects to the wrong recipients. The data breach was reported to the Romanian DPA. The subsequent investigation clarified certain elements of the breach and revealed that the controller had been processeing the personal data of 3 data subjects who previously exercised their right to erasure and withdrawn their consent for the processing.


The Romanian DPA completed an investigation and found a breach of several GDPR provisions, for which it sanctioned the controller as follows:

- a fine of approx €5,000 (RON 24,739.50) for breaching the Article 32(1)(b) and Article 32(2) GDPR;

- a warning for breaching the Article 5(1)(a) and Article 6(1) GDPR;

- a corrective measure ordering the controller to update its technical and organisational measures to ensure a level of security appropriate to the risk of processing;

- a corrective measure ordering the controller to implement a measure that will guarantee personal data is accurate and updated according to the purpose of processing.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

01.11.2021 & # 13;
Sanction for violating RGPD & # 13;
& # 13;
On 01.10.2021, the National Supervisory Authority completed an investigation at the S.P.E.E.H. Hidroelectrica S.A. and found a violation of the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Regulation on Data Protection (RGPD), as well as the violation of the provisions of art. 5 para. (1) lit. a) and of art. 6 para. (1) of the RGPD. & # 13;
The S.P.E.E.H. Hidroelectrica S.A. was fined as follows: & # 13;
- fine in the amount of 24,739.50 lei, the equivalent of 5,000 EURO, for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the RGPD; & # 13;
- warning, for violating the provisions of art. 5 para. (1) lit. a) and of art. 6 para. (1) of the RGPD. & # 13;
The investigation was initiated as a result of the transmission by the operator of several notifications of personal data breach. & # 13;
The national supervisory authority found that the operator did not implement adequate technical and organizational measures in order to ensure a level of security appropriate to the risk presented by the processing. & # 13;
This situation has led to the access or illicit disclosure to erroneous recipients of the personal data of a number of 325 individuals. & # 13;
Also, the operator processed the personal data of 3 individuals, own customers, after exercising the right to delete data and withdrawing consent for data processing by them. Thus, the processing was performed without the existence of one of the legal grounds provided by art. 6 para. (1) of the RGPD, although the operator had the obligation to process the data legally, fairly and transparently to the data subject. & # 13;
At the same time, the following corrective measures were applied to the operator: & # 13;
- reviewing and updating the technical and organizational measures implemented following the risk assessment for the rights and freedoms of individuals, including working procedures on the protection of personal data, and the implementation of measures on the regular training of persons acting under its authority, regarding the obligations incumbent on them according to the provisions of the RGPD, including regarding the risks involved in the processing of personal data, depending on the specifics of the activity; & # 13;
- identifying and implementing measures to ensure that the personal data processed are accurate and up-to-date, taking into account the purposes for which they are processed, including the record of the exercise by data subjects of the right to the deletion of personal data. & # 13;
Legal and Communication Department & # 13;