Editing ANSPDCP (Romania) - Fine against Vodafone România S.A. 4

{{DPAdecisionBOX

|Jurisdiction=Romania
|DPA-BG-Color=background-color:#ffffff;
|DPAlogo=LogoRO.jpg
|DPA_Abbrevation=ANSPDCP (Romania)
|DPA_With_Country=ANSPDCP (Romania)

|Case_Number_Name=Fine against Vodafone România S.A. 4
|ECLI=

|Original_Source_Name_1=ANSPDCP
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_27_05_2021&lang=ro
|Original_Source_Language_1=Romanian
|Original_Source_Language__Code_1=RO

|Type=Investigation
|Outcome=Violation Found
|Date_Decided=
|Date_Published=27.05.2021
|Year=2021
|Fine=5000
|Currency=RON



|National_Law_Name_1=Articles 3(1), 3(3)a and 3(3)b of the Law no. 506/2004
|National_Law_Link_1=http://legislatie.just.ro/Public/DetaliiDocument/56973

|Party_Name_1=Vodafone România 
|Party_Link_1=https://www.vodafone.ro/
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
|Party_Name_5=
|Party_Link_5=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=

|Initial_Contributor=Diana Rosu
|
}}

The Romanian DPA fined Vodafone Romania approximately €1,000 (RON 5,000) for not taking the necessary measures to prevent a data breach that lead to the transmission of certain customers' invoices to third parties.

== English Summary ==

=== Facts ===
Following a data breach notification from the controller Vodafone Romania under Article 33 GDPR, the Romanian DPA started an investigation and found that Vodafone had sent some of its customers' invoices to email addresses of third parties. The invoices contained name, surname, telephone number, customer code, and address. 
=== Holding ===
Due to the fact that the invoices contained personal data of its customers, Vodafone Romania was fined RON 5,000 (approximately €1,000) for not taking the necessary measures to ensure data security and to prevent unauthorised access. 

== Comment ==
In Romania there are two parallel provisions that require a controller to implement security measures: Article 32 of the GDPR and Article 3(1) of the Law no. 506/2004. The latter is the transposition of the E-Privacy Directive, which, additionally to provisions included in the Directive, imposes the obligation to implement security measures. 

In the current decision, the Romanian DPA applied only the provisions of the Law no. 506/2004 with regard to the lack of security measure. For a decision where both laws were applied see [[ANSPDCP - Fine against Telekom Romania mobile communications S.A. 2]]. 

== Further Resources ==
''Share blogs or news articles here!''

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

<pre>
The National Supervisory Authority completed in May of this year an investigation of the controller Vodafone Romania S.A. and found a violation of the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. 506/2004, amended and supplemented.

As such, the controller Vodafone Romania S.A. was sanctioned with a fine of 5,000 RON.

The investigation was initiated as a result of a notification of a personal data breach that was transmitted by the controller, based on the provisions of art. 33 of the General Data Protection Regulation.

In it, it was found that the related invoices of some Vodafone customers were erroneously sent to the e-mail addresses of third parties. This led to the processing and unauthorized access to certain personal data of Vodafone customers, such as name, surname, telephone number, customer code, address.

Therefore, the National Supervisory Authority found that the controller did not take adequate technical and organizational measures to ensure the security of the processing of personal data, ensuring that personal data can be accessed only by persons authorized for the purposes authorized by law and protect personal data stored or transmitted against unlawful processing, access or disclosure.

On this occasion, we reiterate the need for internal training of employees by each controller on the rules of personal data protection, part of the mandatory organizational measures incumbent on him.
</pre>