ANSPDCP (Romania) - Fine against Vodafone România S.A. 4

From GDPRhub
Revision as of 13:08, 1 June 2021 by DianaR (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP (Romania) - Fine against Vodafone România S.A. 4
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law:
Articles 3(1), 3(3)a and 3(3)b of the Law no. 506/2004
Type: Investigation
Outcome: Violation Found
Published: 27.05.2021
Fine: 5000 RON
Parties: Vodafone România
National Case Number/Name: Fine against Vodafone România S.A. 4
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined Vodafone Romania RON 5,000 (approximately €1,000) for not taking the necessary measures to prevent a data breach that lead to the transmission of some of its clients' invoices to third parties.

English Summary


Following a data breach notification from the controller Vodafone Romania, the Romanian DPA started an investigation and found that Vodafone wrongfully sent some of its clients' invoices to third parties.



Due to the fact that the invoices contained personal data of its clients, Vodafone Romania was fined RON 5,000 (approximately €1,000) for not taking the necessary measures to ensure data security and to prevent unauthorised access.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National Supervisory Authority completed in May of this year an investigation of the controller Vodafone Romania S.A. and found a violation of the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. 506/2004, amended and supplemented.

As such, the controller Vodafone Romania S.A. was sanctioned with a fine of 5,000 RON.

The investigation was initiated as a result of a notification of a personal data breach that was transmitted by the controller, based on the provisions of art. 33 of the General Data Protection Regulation.

In it, it was found that the related invoices of some Vodafone customers were erroneously sent to the e-mail addresses of third parties. This led to the processing and unauthorized access to certain personal data of Vodafone customers, such as name, surname, telephone number, customer code, address.

Therefore, the National Supervisory Authority found that the controller did not take adequate technical and organizational measures to ensure the security of the processing of personal data, ensuring that personal data can be accessed only by persons authorized for the purposes authorized by law and protect personal data stored or transmitted against unlawful processing, access or disclosure.

On this occasion, we reiterate the need for internal training of employees by each controller on the rules of personal data protection, part of the mandatory organizational measures incumbent on him.