ANSPDCP (Romania) - Fine against World Class Romania S.A.
|ANSPDCP (Romania) - Fine against World Class Romania S.A.|
|Relevant Law:||Article 32 GDPR|
|Parties:||World Class România S.A.|
|National Case Number/Name:||Fine against World Class Romania S.A.|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
|Initial Contributor:||Diana Rosu|
The Romanian DPA fined a controller approximately €2000 (RON 9 851) for breaching Article 32 GDPR by publishing the resignation request of a former employee on its employee WhatsApp group.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller World Class Romania S.A. made available a resignation request of a former employee on the employees' WhatsApp group.
Holding[edit | edit source]
The Romanian DPA held that the controller did not implement appropriate technical and organisational measures to ensure an appropriate level of data confidentiality, considering that all the members of the WhatsApp group had access to the personal data included in the resignation request.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
The National Supervisory Authority completed, in April 2021, an investigation of the controller World Class Romania S.A., finding the violation of the provisions of art. 32 of the General Data Protection Regulation. As such, the controller World Class Romania S.A. was sanctioned with a fine in the amount of 9,851.00 RON (the equivalent of 2000 EUR). The investigation was initiated following a notification and the National Supervisory Authority found that the controller World Class Romania S.A. posted on the WhatsApp group of its employees a resignation request of one of its employees, thus allowing unauthorized access of all members of that WhatsApp group to certain personal data (name, surname, address, personal number and identity card, code personal information, information related to the request for termination of employment). In this context, the National Supervisory Authority considered that the controller World Class Romania S.A. did not take sufficient technical and organizational measures to ensure the confidentiality of the data subject's personal data. A corrective measure was also applied to the controller World Class Romania S.A. Thus, within 30 days from the communication date, the controller was ordered to ensure compliance with the General Data Protection Regulation, personal data processing operations, by implementing appropriate technical and organizational measures in case of remote transmission of personal data, including in terms of regular employee training.