ANSPDCP (Romania) - Fine against Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”

From GDPRhub
Revision as of 08:17, 1 March 2022 by DianaR (talk | contribs) (→‎Facts)
ANSPDCP (Romania) - Fine against Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 22.02.2022
Fine: 1000 EUR
Parties: Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”
National Case Number/Name: Fine against Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

A lawyer's office was fined EUR1000 for disclosing the personal data of one of its clients in a WhatsApp group with 247 members.

English Summary

Facts

After a complaint was filed by a data subject, the Romanian DPA started an investigation against a lawyer's office. The investigation found that, while the lawyer was defending the data subject, they posted on a lawyers' WhatsApp group (with 247 members) a case file containing personal data.

Holding

The investigation found that the case file was shared without a valid legal basis and without taking the necessary technical and organisational measures meant to ensure data confidentiality, in breach of GDPR Articles 5(1)a, 5(1)b, 5(1)c, 5(1)f, 5(2), and 6.

The controller was therefore fined approximately EUR 1000 (RON 4946) and sanctioned with the corrective measures of:

- being required to notify the members of the WhatsApp group about the breach and to request them to erase the file;

- being required to comply with GDPR by training its personnel and by avoiding any unlawful data disclosure.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

22.02.2022

RGPD fine



In February, the National Supervisory Authority completed an investigation at the operator of the Professional Civil Law Firm “Sabou, Burz & Cuc” and found that it had violated the provisions of art. 5 para. (1) lit. a), b), c), f) and par. (2) and of art. 6 of the General Data Protection Regulation.

The operator of the Professional Civil Law Firm “Sabou, Burz & Cuc” was sanctioned with a fine of 4946 lei, the equivalent of 1,000 EURO.

The investigation was initiated following a complaint requesting the disclosure by the operator of the personal data of a petitioner (customer of the operator) without his consent and prior information, by posting an address received by him from a public institution on a group of WhatsApp used by lawyers of a bar.

The investigation found that the Professional Civil Law Firm "Sabou, Burz & Cuc" disclosed the personal data of the data subject (name, surname, home address, information regarding a case pending before a court) on a WhatsApp group consisting of 247 members, without legal basis, excessively and incompatible with the initial purpose of their collection, as well as without the adoption of technical and organizational measures to maintain the confidentiality of these data, thus violating the provisions of art. 5 para. (1) lit. a), b), c), f) and par. (2), as well as of art. 6 of the General Data Protection Regulation.

At the same time, the following corrective measures were applied to the operator:

corrective action to ensure compliance with the General Data Protection Regulation of the data collection and further processing of the petitioner's personal data to ensure the notification of all members of the WhatsApp group used by lawyers of a bar in order to delete the address posted on this group; corrective action to ensure compliance with the General Data Protection Regulation of the collection and further processing of personal data in the legal relations of assistance and representation of the operator's customers, so as to avoid disclosure of personal data obtained from them, except in situations permitted by law, including through regular training of data controllers under the authority of the controller.

A.N.S.P.D.C.P.