ANSPDCP (Romania) - Fine against Vodafone România S.A. 4: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca...")
 
No edit summary
Line 48: Line 48:
}}
}}


The Romanian DPA fined Vodafone Romania RON 5,000 (approximately €1,000) for not taking the necessary measures to prevent a data breach that lead to the transmission of some of its clients' invoices to third parties.
The Romanian DPA fined Vodafone Romania approximately €1,000 (RON 5,000) for not taking the necessary measures to prevent a data breach that lead to the transmission of some of its customers' invoices to third parties.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Following a data breach notification from the controller Vodafone Romania, the Romanian DPA started an investigation and found that Vodafone wrongfully sent some of its clients' invoices to third parties.
Following a data breach notification from the controller Vodafone Romania under Article 33 GDPR, the Romanian DPA started an investigation and found that Vodafone had sent some of its customers' invoices to email addresses of third parties. The invoices contained name, surname, telephone number, customer code, address.
 
=== Dispute ===
 
 
=== Holding ===
=== Holding ===
Due to the fact that the invoices contained personal data of its clients, Vodafone Romania was fined RON 5,000 (approximately €1,000) for not taking the necessary measures to ensure data security and to prevent unauthorised access.  
Due to the fact that the invoices contained personal data of its clients, Vodafone Romania was fined RON 5,000 (approximately €1,000) for not taking the necessary measures to ensure data security and to prevent unauthorised access.  

Revision as of 15:15, 1 June 2021

ANSPDCP (Romania) - Fine against Vodafone România S.A. 4
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law:
Articles 3(1), 3(3)a and 3(3)b of the Law no. 506/2004
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 27.05.2021
Fine: 5000 RON
Parties: Vodafone România
National Case Number/Name: Fine against Vodafone România S.A. 4
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined Vodafone Romania approximately €1,000 (RON 5,000) for not taking the necessary measures to prevent a data breach that lead to the transmission of some of its customers' invoices to third parties.

English Summary

Facts

Following a data breach notification from the controller Vodafone Romania under Article 33 GDPR, the Romanian DPA started an investigation and found that Vodafone had sent some of its customers' invoices to email addresses of third parties. The invoices contained name, surname, telephone number, customer code, address.

Holding

Due to the fact that the invoices contained personal data of its clients, Vodafone Romania was fined RON 5,000 (approximately €1,000) for not taking the necessary measures to ensure data security and to prevent unauthorised access.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National Supervisory Authority completed in May of this year an investigation of the controller Vodafone Romania S.A. and found a violation of the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. 506/2004, amended and supplemented.

As such, the controller Vodafone Romania S.A. was sanctioned with a fine of 5,000 RON.

The investigation was initiated as a result of a notification of a personal data breach that was transmitted by the controller, based on the provisions of art. 33 of the General Data Protection Regulation.

In it, it was found that the related invoices of some Vodafone customers were erroneously sent to the e-mail addresses of third parties. This led to the processing and unauthorized access to certain personal data of Vodafone customers, such as name, surname, telephone number, customer code, address.

Therefore, the National Supervisory Authority found that the controller did not take adequate technical and organizational measures to ensure the security of the processing of personal data, ensuring that personal data can be accessed only by persons authorized for the purposes authorized by law and protect personal data stored or transmitted against unlawful processing, access or disclosure.

On this occasion, we reiterate the need for internal training of employees by each controller on the rules of personal data protection, part of the mandatory organizational measures incumbent on him.