ANSPDCP (Romania) - Fine against VODAFONE România S.A. 5
|ANSPDCP (Romania) - Fine against VODAFONE România S.A. 5|
|Relevant Law:||Article 32(1)(b) GDPR|
Article 32(4) GDPR
Articles 3(1), 3(3)(a) and 3(3)(b) of Law no. 506/2004
|Parties:||VODAFONE România S.A.|
|National Case Number/Name:||Fine against VODAFONE România S.A. 5|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
|Initial Contributor:||Diana Rosu|
Vodafone Romania was sanctioned approx €2,900 for failing to implement sufficient technical and organisational measures which led to the unauthorised access and disclosure of personal data belonging to 70 natural persons.
English Summary[edit | edit source]
Facts[edit | edit source]
The Romanian DPA started an investigation after the controller Vodafone Romania notified several security incidents that involved personal data.
One of the incidents occurred between 04.11.2020 and 22.06.2021. In this incident, the personal data belonging to 6 data subjects were disclosed without authorisation, since their contracts were sent via email to the wrong recipients. Moreover, the controller's employees also obtained unauthorised access to the individuals' data. Another incident that occurred between 04.11.2020 and 22.06.2021, allowed the controller's employees to have unauthorised access to personal data belonging to 64 individuals.
Holding[edit | edit source]
The DPA found a violation of two legal acts concerning the security of processing.
First, the DPA found that the controller did not implement sufficient technical and organisational measures to ensure that any person acting under its authority with access to personal data will act according to the controller's instructions, Article 32(4) GDPR. The controller also failed to implement necessary measures meant to ensure the confidentiality of data, Article 32(1)(b) GDPR.
Regarding the incident that occurred between 04.11.2020 and 22.06.2021, the DPA held that the controller did not implement sufficient technical and organisational measures to ensure that personal data will be accessed only by the authorised employees (Article 3(3)(a) of Law no. 506/2004), failing to ensure protection against unlawful processing, access and disclosure (Article 3(3)(b) of Law no. 506/2004).
The violation of the provisions of the GDPR was sanctioned with a fine of approx €1,500 (RON 7,421.25) and the violation of the national Law no. 506/2004 with a fine of approx €1,400 (RON 7,000).
Comment[edit | edit source]
Firstly, it is unfortunate that the ANSPDCP only provides small summaries of their decisions, which makes it hard to explain what happened exactly, and why the DPA chose to implement a fine, as well as the sum of it.
Second, it is important to explain the following:
(1) In Romania, there are two parallel provisions that require a controller to implement security measures: Article 32 of the GDPR and Article 3 of Law no. 506/2004. The latter is the transposition of the E-Privacy Directive's Article 4.
(2) This is the second time Vodafone Romania is sanctioned for not taking the necessary measures to prevent a data breach, more specifically when individuals' data is wrongfully sent to different recipients (the first fine regarding such a violation is summarised on GDPRhub - Fine against Vodafone România S.A. 4).
Furthermore, Vodafone Romania has been constantly fined for GDPR/privacy-related violations (out of which 4 other decisions are available on GDPRhub). However, each fine is considerably lower compared to Vodafone's global turnover and consequently, it doesn't have a visible effect on the controller's ways of processing personal data.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
11.11.2021 & # 13; Sanction for violating RGPD & # 13; & # 13; In October 2021, the National Supervisory Authority completed an investigation at the operator VODAFONE Romania S.A. and found a violation of the provisions of art. 32 para. (1) lit. b) and para. (4) of the General Regulation on Data Protection (RGPD), as well as the violation of the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector. & # 13; Operator S.A. was fined as follows: & # 13; - fine in the amount of 7,421.25 lei, the equivalent of 1,500 EURO, for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the RGPD; & # 13; - fine in the amount of 7,000 lei for violating the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. 506/2004 & # 13; The investigation was initiated following the submission by the controller of several notifications of personal data breaches under the General Data Protection Regulation or Regulation (EU) No 1095/2010. 611/2013. & # 13; With regard to security breaches notified under the RGPD, the National Supervisory Authority found that the operator did not implement adequate technical and organizational measures to ensure that any natural person acting under the authority of the operator or the person authorized by the operator and having access to personal data shall be processed only at the request of the controller unless this obligation is incumbent on him under Union or national law and to ensure a level of security appropriate to the risk of the processing, including the ability to ensure the confidentiality of the data. 13; This situation led to unauthorized disclosure and / or unauthorized access to the personal data of a number of 6 individuals, between 16 November 2020 - 18 May 2021 (transmission of service contracts to erroneous e-mail addresses, unauthorized access of the operator's employees to the personal data of Vodafone customers without any requests from them). & # 13; With regard to security breaches notified under Regulation (EU) no. 611/2013, the National Supervisory Authority found that the operator did not implement adequate technical and organizational measures to ensure the security of personal data processing, to ensure that personal data can be accessed only by persons authorized for the purposes authorized by law and protect personal data stored or transmitted against unlawful processing, access or disclosure. & # 13; Thus, the operator processed the personal data of 64 individuals by unauthorized access to their data by the operator's employees between November 4, 2020 - June 22, 2021. & # 13; & # 13; Legal and Communication Department & # 13; A.N.S.P.D.C.P