ANSPDCP (Romania) - Fine against Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”

From GDPRhub
ANSPDCP (Romania) - Fine against Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 22.02.2022
Fine: 1000 EUR
Parties: Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”
National Case Number/Name: Fine against Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA issued a fine of approximately €1000 on a law firm for disclosing a case file with the personal data of one of its clients on an external WhatsApp group with other lawyers, in breach of Articles 6, 5(1)(a), 5(1)(b), 5(1)(c), 5(1)(f) and 5(2) GDPR.

English Summary

Facts

A client of the “Sabou, Burz & Cuc" law firm filed a complaint with the Romanian DPA against the firm, claiming that it had posted a case file containing their personal data on an external WhatsApp group with other lawyers, without their consent. The DPA subsequently initiated an investigation on this matter.

Holding

The DPA's investigation found that the case file which included the data subject's personal data (including name, surname, home address, and information regarding a case pending before a court) was indeed shared on the external WhatsApp lawyer group, which contained 247 members.

The DPA held that the data processing in this case was carried out without a valid legal basis, and that it was excessive, incompatible with the initial purpose of collection, and lacking the necessary technical and organisational measures meant to ensure data confidentiality, in breach of Articles 6, 5(1)(a), 5(1)(b), 5(1)(c), 5(1)(f) and 5(2) GDPR.

Therefore, the DPA issued a fine of approximately €1000 (RON 4946) on the law firm. As corrective measures, the DPA ordered the firm to notify the members of the WhatsApp group about the unlawful disclosure, to request that the group administrator erase the case file, as well as to train its personnel in GDPR compliance and avoiding future unlawful data disclosures.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

22.02.2022

RGPD fine



In February, the National Supervisory Authority completed an investigation at the operator of the Professional Civil Law Firm “Sabou, Burz & Cuc” and found that it had violated the provisions of art. 5 para. (1) lit. a), b), c), f) and par. (2) and of art. 6 of the General Data Protection Regulation.

The operator of the Professional Civil Law Firm “Sabou, Burz & Cuc” was sanctioned with a fine of 4946 lei, the equivalent of 1,000 EURO.

The investigation was initiated following a complaint requesting the disclosure by the operator of the personal data of a petitioner (customer of the operator) without his consent and prior information, by posting an address received by him from a public institution on a group of WhatsApp used by lawyers of a bar.

The investigation found that the Professional Civil Law Firm "Sabou, Burz & Cuc" disclosed the personal data of the data subject (name, surname, home address, information regarding a case pending before a court) on a WhatsApp group consisting of 247 members, without legal basis, excessively and incompatible with the initial purpose of their collection, as well as without the adoption of technical and organizational measures to maintain the confidentiality of these data, thus violating the provisions of art. 5 para. (1) lit. a), b), c), f) and par. (2), as well as of art. 6 of the General Data Protection Regulation.

At the same time, the following corrective measures were applied to the operator:

corrective action to ensure compliance with the General Data Protection Regulation of the data collection and further processing of the petitioner's personal data to ensure the notification of all members of the WhatsApp group used by lawyers of a bar in order to delete the address posted on this group; corrective action to ensure compliance with the General Data Protection Regulation of the collection and further processing of personal data in the legal relations of assistance and representation of the operator's customers, so as to avoid disclosure of personal data obtained from them, except in situations permitted by law, including through regular training of data controllers under the authority of the controller.

A.N.S.P.D.C.P.