ANSPDCP (Romania) - Fine to DADA CREATION S.R.L.: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
 
Line 54: Line 54:
The Romanian DPA (ANSPDCP) fined an eCommerce company EUR 5000 because through it's website was made available a document containing detailed records of transactions received by this site from its customers (individuals).  
The Romanian DPA (ANSPDCP) fined an eCommerce company EUR 5000 because through it's website was made available a document containing detailed records of transactions received by this site from its customers (individuals).  


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The Romanian DPA (ANSPDCP) received a complaint regarding the online availability of a document containing customers personal data. On the DADA CREATION S.R.L.'s website, the following personal data were made available: e-mail addresses, telephone numbers, first and last names of customers (adults and minors), age minors, delivery addresses, order number, total order amount, products ordered and date of order. Approximately 1091 individuals were affected.
The Romanian DPA (ANSPDCP) received a complaint regarding the online availability of a document containing customers personal data. On the DADA CREATION S.R.L.'s website, the following personal data were made available: e-mail addresses, telephone numbers, first and last names of customers (adults and minors), age minors, delivery addresses, order number, total order amount, products ordered and date of order. Approximately 1091 individuals were affected.


=== Dispute ===
===Dispute===
Does the controller implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing according to Article 32(1) GDPR?
Does the controller implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing according to Article 32(1) GDPR?


=== Holding ===
===Holding===
The ANSPDCP found that the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, which led to the unauthorized disclosure and access to personal data of approximately 1091 individuals who had placed orders on the operator's website.
The ANSPDCP found that the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, which led to the unauthorized disclosure and access to personal data of approximately 1091 individuals who had placed orders on the operator's website.
In addition to the applied fine of EUR 5000, the Romanian DPA issued a warning for not notifying the security incident and also applied the corrective measure to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals.
In addition to the applied fine of EUR 5000, the Romanian DPA issued a warning for not notifying the security incident and also applied the corrective measure to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals.


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.


<pre>
<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><title> Comunicat_Presa_24_11_2020 </title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="description" content=""><meta name="keywords" content=""><meta name="author" content="Matei Nicolae, Starsii Ghenadie, Bleah Mariana, Galoi Ion"><link type="image/ico" href="themes/dataprotection/favicon.ico" rel="shortcut icon"><!-- Tab --><script type="text/javascript" src="admin/js/browser-detect.js"></script><link rel="stylesheet" type="text/css" href="themes/dataprotection/js/yui/build/tabview/assets/skins/sam/tabview.css"><script type="text/javascript" src="themes/dataprotection/js/yui/build/yahoo-dom-event/yahoo-dom-event.js"></script><script type="text/javascript" src="themes/dataprotection/js/yui/build/element/element-beta.js"></script><script type="text/javascript" src="themes/dataprotection/js/yui/build/tabview/tabview.js"></script><!-- end Tab --><link rel="stylesheet" type="text/css" href="themes/dataprotection/css/style.css"><script type="text/javascript" src="themes/dataprotection/js/functions.js"></script></head><body id='body' class="yui-skin-sam" onLoad="loadComplet();"><div id="wrapper"><div id="header"><div style="background:url(themes/dataprotection/images/logo1.gif) no-repeat; height:100%;"><div id="header_right"><div id="content_top"><table border="0" cellpadding="0" cellspacing="0" style="margin-left: 0px;margin-right: 50px;"><tr><td style="overflow: hidden; height: 60px;"><div id="title_test"> National Authority for the Supervision of Personal Data Processing </div></td></tr><table border="0" cellpadding="0" cellspacing="0" style="margin-left: 10px;margin-right: 100px;"><tr><td style="height: 25px;" valign="top"><marquee scrolldelay=100> Data Protection Data Protection Protection des Donnees </marquee></td></tr></table></div><!-- Menu --><div style="margin-left: -120px; text-align: center;"><!-- height: 40px; --><script type="text/javascript">
The National Supervisory Authority completed an investigation at the operator DADA CREATION SRL and found the violation of the provisions of art. 32 para. (1) and (2) and art. 33 para. (1) of the General Data Protection Regulation. The operator DADA CREATION SRL was sanctioned as follows:  
function openMenuItem() {
- fine in the amount of 24,272.50 lei, the equivalent of 5,000 EURO, for violating the provisions of art. 32 para. (1) and (2) of the General Data Protection Regulation;
var arg = arguments;
- warning for violation of art. 33 para. (1) of the General Data Protection Regulation.
for(i=arg.length-1; i>=0; i--) {
 
var id = 'liItem' + arg[i];
The investigation was launched following a complaint alleging that through the operator's website was available a document on detailed records of transactions received by this site from its customers (individuals) containing e-mail addresses, numbers telephone number, name and surname of customers (adults and minors), age of minors, delivery addresses, order number, total order amount, products ordered and date of order. The breach of data security consisted in the fact that DADA CREATION SRL did not implement adequate technical and organizational measures in order to ensure a level of security appropriate to the risk of processing, which led to the disclosure and unauthorized access to personal data of approximately 1091 individuals who had placed orders on the operator's website.
document.getElementById(id).className = 'selected';
 
}
Also, the operator was sanctioned with a warning because he did not notify the Supervisory Authority of the security incident (which was brought to his attention by our institution), according to art. 33 of the General Data Protection Regulation.
}
 
</script><div id="tabView" class="yui-navset"><ul class="yui-nav"><li id='liItem27'><a href='#'><em>General information</em></a></li><li id='liItem55'> <a href='#'><em>Legislation</em></a></li><li id='liItem341'> <a href='#'><em>procedures</em></a></li><li id='liItem84'> <a href='#'><em>International relations</em></a></li><li id='liItem350'> <a href='?page=contact&lang=ro'><em>Contact</em></a> </li></ul><div class="yui-content"><div><div id="tabView27" class="yui-navset"><ul class='yui-nav'><li id='liItem28'> <a href='?page=about&lang=ro'><em>General presentation</em></a></li><li id='liItem33'> <a href='#'><em>Information of public interest</em></a></li><li id='liItem30'> <a href='?page=administration&lang=ro'><em>Leadership of authority</em></a></li><li id='liItem29'> <a href='?page=organigrama&lang=ro'><em>Organizational Chart</em></a></li><li id='liItem54'> <a href='?page=allnews&lang=ro'><em>News</em></a></li></ul><div class="yui-content"><div></div><div> <a id='liItem52'href="?page=money_declarations&lang=ro" class="link">Wealth declarations</a> <a id='liItem53'href="?page=documents&lang=ro" class="link">Documents of public interest</a> <a id='liItem293'href="?page=Rapoarte anuale&lang=ro" class="link">Annual reports</a> <a id='liItem334'href="?page=Materiale_informative&lang=ro" class="link">Informative materials</a> </div><div></div><div></div><div></div></div></div></div><div><div id="tabView55" class="yui-navset"><ul class='yui-nav'><li id='liItem57'><a href='?page=legislatie_primara&lang=ro'><em>Domestic legislation</em></a></li><li id='liItem56'> <a href='?page=legislatie_comunitara&lang=ro'><em>EU legislation</em></a></li><li id='liItem58'> <a href='#'><em>ANSPDCP decisions</em></a></li></ul><div class="yui-content"><div></div><div></div><div> <a id='liItem59'href="?page=projects&lang=ro" class="link">Projects</a> <a id='liItem61'href="?page=publicated&lang=ro" class="link">published</a> </div></div></div></div><div><div id="tabView341" class="yui-navset"><ul class='yui-nav'><li id='liItem344'> <a href='?page=control&lang=ro'><em>Control</em></a></li><li id='liItem387'> <a href='?page=Plangeri_meniu&lang=ro'><em>Claims</em></a> </li></ul><div class="yui-content"><div></div><div></div></div></div></div><div><div id="tabView84" class="yui-navset"><ul class='yui-nav'><li id='liItem85'><a href='?page=EDPB&lang=ro'><em>European Data Protection Board</em></a></li><li id='liItem88'> <a href='?page=europa_council&lang=ro'><em>Council of Europe</em></a></li><li id='liItem87'> <a href='?page=schengen&lang=ro'><em>Schengen</em></a></li><li id='liItem86'> <a href='?page=europol&lang=ro'><em>Europol</em></a></li><li id='liItem383'> <a href='?page=Sistemul_de_informatii_privind_vizele&lang=ro'><em>Visa information system</em></a></li><li id='liItem385'> <a href='?page=Scutul_de_confidentialitate_UE-SUA&lang=ro'><em>EU-US Privacy Shield</em></a> </li></ul><div class="yui-content"><div></div><div></div><div></div><div></div><div></div><div></div></div></div></div><div><div id="tabView350" class="yui-navset"><ul class='yui-nav'><li id='liItem363'> <a href='?page=links&lang=ro'><em>Useful links</em></a></li><li id='liItem364'> <a href='?page=IntrebariFrecvente&lang=ro'><em>Frequent questions</em></a> </li></ul><div class="yui-content"><div></div><div></div></div></div></div></div></div><script type="text/javascript">
At the same time, the corrective measure was applied to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, so as to avoid similar incidents of unauthorized disclosure of personal data processed.
openMenuItem();
if(BrowserDetect.browser == 'Explorer' && BrowserDetect.version < 6){
isIE5();
} else {
  var tabView = new YAHOO.widget.TabView('tabView');
  var tabView27 = new YAHOO.widget.TabView('tabView27');
  var tabView55 = new YAHOO.widget.TabView('tabView55');
  var tabView341 = new YAHOO.widget.TabView('tabView341');
  var tabView84 = new YAHOO.widget.TabView('tabView84');
  var tabView350 = new YAHOO.widget.TabView('tabView350');
}
</script></div><!-- end Menu--></div></div></div><div id="top_line" class="h_repair border_l_r"><div id="header-address"><div id="address"> <a href=".">Home</a> »Press Release_24_11_2020</div><span id="currentTime"></span> Romanian <a href='index.jsp?page=Comunicat_Presa_24_11_2020&lang=en'>English</a> | <a href='index.jsp?page=Comunicat_Presa_24_11_2020&lang=fr'>Francais</a> </div></div><div id="content_wrap" class="h_repair"><div id="content_left"><div class="rectangle_back1"><div class="rectangle_back2"><div class="rectangle_img" style="background: url(themes/dataprotection/images/spacer.gif) 0px 50% no-repeat;"><div class="rectangle_title" style="height: 30px;"><h1></h1></div></div><p style="text-align: center;"> <a href="../"><img style="vertical-align: top;" title="sigla_anspdcp_2.png" src="servlet/ViewImage?id=1722" alt="sigla_anspdcp_2.png" width="100" height="98" /></a> </p><p style="text-align: center;"></p></div><img src="images/spacer.gif" alt=""><div class="h_repair" style="height:5px; background-color:#FFFFFF;"><img src="images/spacer.gif" alt=""></div></div><div class="rectangle_back1"><div class="rectangle_back2"><div class="rectangle_img" style="background: url(themes/dataprotection/images/spacer.gif) 0px 50% no-repeat;"><div class="rectangle_title" style="height: 30px;"><h1></h1></div></div><p style="text-align: center;"> <span style="color: #3366ff;"><strong><a href="?page=noua _pagina_regulamentul_GDPR"><span style="font-size: 14px;"><span style="font-family: tahoma, geneva, sans-serif;"><span style="color: #3366ff;">Regulation (EU)</span> <span style="color: #3366ff;">2016/679</span> <span style="color: #3366ff;">applicable from 25 May 2018</span></span></span></a></strong></span> </p><p style="text-align: justify;"></p></div><img src="images/spacer.gif" alt=""><div class="h_repair" style="height:5px; background-color:#FFFFFF;"><img src="images/spacer.gif" alt=""></div></div><div class="rectangle_back1"><div class="rectangle_back2"><div class="rectangle_img" style="background: url(themes/dataprotection/images/spacer.gif) 0px 50% no-repeat;"><div class="rectangle_title" style="height: 30px;"><h1> Claims</h1></div></div><p> <strong><span style="font-size:12px;"><span style="color: #ff0000;"><a href="?page=Plangeri_pagina_principala"><span style="font-family: tahoma, geneva, sans-serif;">RGPD complaints</span></a></span></span></strong></p><p></p><p> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;"><a href="?page=procedura_plangerilor">Settlement procedure</a></span></span> </p><p></p></div><img src="images/spacer.gif" alt=""><div class="h_repair" style="height:5px; background-color:#FFFFFF;"><img src="images/spacer.gif" alt=""></div></div><div class="rectangle_back1"><div class="rectangle_back2"><div class="rectangle_img" style="background: url(themes/dataprotection/images/spacer.gif) 0px 50% no-repeat;"><div class="rectangle_title" style="height: 30px;"><h1> operators</h1></div></div><p> <a href="formulare/formularRpd.do?action=prepare_login_new_action"><span style="font-family: tahoma, geneva, sans-serif;"><span style="font-size: 12px;">Declaration form responsible for data protection</span></span></a></p><p></p><p> <a href="?page=pagina_formular_679"><span style="font-size: 12px;"><span style="font-family: tahoma, geneva, sans-serif;">RGPD Breach Notification</span></span></a></p><p></p><p> <a href="?page=pagina_formular_506"><span style="font-size: 12px;"><span style="font-family: tahoma, geneva, sans-serif;">Bre notification</span></span> <span style="font-size: 12px;"><span style="font-family: tahoma, geneva, sans-serif;"><span style="font-size: 12px;"><span style="font-family: tahoma, geneva, sans-serif;">STATEMENT</span></span> L.506 / 2004</span></span></a></p><p><a href="?page=pagina_formular_506"> </a></p><p></p><p><a href="../?page=Informatii_plata_amenda_persoane_juridice_2016"><span style="font-size: 12px;"><span style="font-family: tahoma, geneva, sans-serif;">Information payment fine legal entities</span></span></a> </p><p></p></div><img src="images/spacer.gif" alt=""><div class="h_repair" style="height:5px; background-color:#FFFFFF;"><img src="images/spacer.gif" alt=""></div></div><div class="rectangle_back1"><div class="rectangle_back2"><div class="rectangle_img" style="background: url(themes/dataprotection/images/spacer.gif) 0px 50% no-repeat;"><div class="rectangle_title" style="height: 30px;"><h1> Useful information</h1></div></div><p> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;"><a href="?page=IntrebariFrecvente1">Frequent questions</a></span></span></p><p> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;"><a href="servlet/ViewDocument?id=1650">RGPD Questions Guide</a></span></span></p><p> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;"><a href="servlet/ViewDocument?id=1425">RGPD guidance guide</a></span></span></p><p> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;"><a href="?page=links&amp;lang=ro">Useful links</a></span></span> </p><p></p></div><img src="images/spacer.gif" alt=""><div class="h_repair" style="height:5px; background-color:#FFFFFF;"><img src="images/spacer.gif" alt=""></div></div><div class="rectangle_back1"><div class="rectangle_back2"><div class="rectangle_img" style="background: url(themes/dataprotection/images/spacer.gif) 0px 50% no-repeat;"><div class="rectangle_title" style="height: 30px;"><h1> News</h1></div></div><div id="widget-news"><ul><li><div class="date"> 12/07/2020</div> <span style="font-size:12px;"><span style="font-family:tahoma,geneva,sans-serif;">Video conference with AmCham Romania representatives</span></span></li><li><div class="date"> 12/02/2020</div> <span style="font-size:12px;"><span style="font-family:tahoma,geneva,sans-serif;">Data processing by owners&#39; associations</span></span></li><li><div class="date"> 11/24/2020</div> <span style="font-size:12px;"><span style="font-family:tahoma,geneva,sans-serif;">Another sanction for violating the RGPD</span></span></li><li><div class="date"> 11/23/2020</div> <span style="font-size:12px;"><span style="font-family:tahoma,geneva,sans-serif;">Sanction for violating the RGPD</span></span></li><li><div class="date"> 17/11/2020</div> <span style="font-size:12px;"><span style="font-family:tahoma,geneva,sans-serif;">Plenary no. 41 and EDPB</span></span></li><li> <a href="?page=allnews" class="allnews">All the news</a> </li></ul></div></div><img src="images/spacer.gif" alt=""><div class="h_repair" style="height:5px; background-color:#FFFFFF;"><img src="images/spacer.gif" alt=""></div></div><div class="rectangle_back1"><div class="rectangle_back2"><div class="rectangle_img" style="background: url(themes/dataprotection/images/spacer.gif) 0px 50% no-repeat;"><div class="rectangle_title" style="height: 30px;"><h1> TFTP-Terrorist Financing Tracking Program</h1></div></div><p></p><p></p><p></p><p></p><p> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;"><a href="?page=Procedura-TFTP">Procedure</a></span></span></p><p> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;"><a href="?page=TFTP_FORMULARE">formulation</a></span></span> </p></div><img src="images/spacer.gif" alt=""><div class="h_repair" style="height:5px; background-color:#FFFFFF;"><img src="images/spacer.gif" alt=""></div></div><div class="rectangle_back1"><div class="rectangle_back2"><div class="rectangle_img" style="background: url(themes/dataprotection/images/spacer.gif) 0px 50% no-repeat;"><div class="rectangle_title" style="height: 30px;"><h1> Contacts</h1></div></div><p> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;"><a href="?page=contact">Contact Us</a></span></span> </p></div><img src="images/spacer.gif" alt=""><div class="h_repair" style="height:5px; background-color:#FFFFFF;"><img src="images/spacer.gif" alt=""></div></div><div class="rectangle_back1"><div class="rectangle_back2"><div class="rectangle_img" style="background: url(themes/dataprotection/images/spacer.gif) 0px 50% no-repeat;"><div class="rectangle_title" style="height: 30px;"><h1> Personal Data Protection</h1></div></div><p></p><p style="text-align: justify;"><a href="?page=Informare_protectia_datelor_conf_GDPR" target="_blank"><span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;">Informing the data subjects about the processing of personal data by ANSPDCP</span></span></a></p><p style="text-align: justify;"></p><p style="text-align: justify;"> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;"><a href="http://www.dataprotection.ro/?page=Cookies&amp;lang=ro" target="_parent">Cookie Policy</a></span></span> </p></div><img src="images/spacer.gif" alt=""><div class="h_repair" style="height:5px; background-color:#FFFFFF;"><img src="images/spacer.gif" alt=""></div></div></div><div id="content"><div id="rectangle_scroll"><!--font size="1"--><p style="text-align: right;"> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;">11/24/2020</span></span></p><h1 style="text-align: center;"> <span style="font-size:14px;"><span style="font-family: tahoma, geneva, sans-serif;">Another sanction for violating the RGPD</span></span></h1><p></p><p style="text-align: justify;"> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;">The National Supervisory Authority completed an investigation at the operator <strong>DADA CREATION SRL and found the violation of the provisions of art. 32 para. (1) and (2) and art. 33 para. (1) of the General Data Protection Regulation.</strong></span></span></p><p style="text-align: justify;"> <strong><span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;">The operator DADA CREATION SRL was sanctioned as follows:</span></span></strong></p><ul style="text-align: justify;"><li> <strong><span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;">fine in the amount of 24,272.50 lei, the equivalent of 5,000 EURO, for violating the provisions of art. 32 para. (1) and (2) of the General Data Protection Regulation;</span></span></strong></li><li> <strong><span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;">warning for violation of art. 33 para. (1) of the General Data Protection Regulation.</span></span></strong></li></ul><p style="text-align: justify;"> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;">The investigation was launched following a complaint alleging that through the operator&#39;s website was available a document on detailed records of transactions received by this site from its customers (individuals) containing e-mail addresses, numbers telephone number, name and surname of customers (adults and minors), age of minors, delivery addresses, order number, total order amount, products ordered and date of order.</span></span></p><p style="text-align: justify;"> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;">The breach of data security consisted in the fact that DADA CREATION SRL did not implement adequate technical and organizational measures in order to ensure a level of security appropriate to the risk of processing, which led to the <strong>disclosure and unauthorized access to personal data of approximately 1091 individuals</strong> who had placed orders on the operator&#39;s website.</span></span></p><p style="text-align: justify;"> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;">Also, the operator was sanctioned with a warning because he did not notify the Supervisory Authority of the security incident (which was brought to his attention by our institution), according to art. 33 of the General Data Protection Regulation.</span></span></p><p style="text-align: justify;"> <span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;">At the same time, the corrective measure was applied to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, so as to avoid similar incidents of unauthorized disclosure of personal data processed.</span></span></p><p style="text-align: right;"> <strong><span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;">Legal and communication department</span></span></strong></p><p style="text-align: right;"> <strong><span style="font-size:12px;"><span style="font-family: tahoma, geneva, sans-serif;">ANSPDCP</span></span></strong> </p><!--/font--></div></div><div class="h_repair" style="height:10px; background-color:#FFFFFF;"><!--div class="border_l_container" style="height:1px;"><img src="images/spacer.gif"></div--><img src="images/spacer.gif" alt=""></div></div><!-- id="main-content" --><div class="footer_color" id="footer_line"><img src="images/spacer.gif" alt=""></div><div id="footer"><div id="footer_left"> <a href="#">Terms of use</a></div><a href="feed?lang=ro"><img src="images/RSS.gif" alt="Subscribe" title="Subscribe"></a> © ANSPDCP Dataprotection Romania. <a href="mailto:anspdcp@dataprotection.ro">Contact Webmaster</a></div></div></body></html>
</pre>
</pre>

Revision as of 09:51, 8 December 2020

ANSPDCP - Fine to DADA CREATION S.R.L.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Article 33(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 24.11.2020
Fine: 5.000 EUR
Parties: n/a
National Case Number/Name: Fine to DADA CREATION S.R.L.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Stefan Musat

The Romanian DPA (ANSPDCP) fined an eCommerce company EUR 5000 because through it's website was made available a document containing detailed records of transactions received by this site from its customers (individuals).

English Summary

Facts

The Romanian DPA (ANSPDCP) received a complaint regarding the online availability of a document containing customers personal data. On the DADA CREATION S.R.L.'s website, the following personal data were made available: e-mail addresses, telephone numbers, first and last names of customers (adults and minors), age minors, delivery addresses, order number, total order amount, products ordered and date of order. Approximately 1091 individuals were affected.

Dispute

Does the controller implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing according to Article 32(1) GDPR?

Holding

The ANSPDCP found that the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, which led to the unauthorized disclosure and access to personal data of approximately 1091 individuals who had placed orders on the operator's website. In addition to the applied fine of EUR 5000, the Romanian DPA issued a warning for not notifying the security incident and also applied the corrective measure to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details. 

The National Supervisory Authority completed an investigation at the operator DADA CREATION SRL and found the violation of the provisions of art. 32 para. (1) and (2) and art. 33 para. (1) of the General Data Protection Regulation. The operator DADA CREATION SRL was sanctioned as follows: 
- fine in the amount of 24,272.50 lei, the equivalent of 5,000 EURO, for violating the provisions of art. 32 para. (1) and (2) of the General Data Protection Regulation;
- warning for violation of art. 33 para. (1) of the General Data Protection Regulation.

The investigation was launched following a complaint alleging that through the operator's website was available a document on detailed records of transactions received by this site from its customers (individuals) containing e-mail addresses, numbers telephone number, name and surname of customers (adults and minors), age of minors, delivery addresses, order number, total order amount, products ordered and date of order. The breach of data security consisted in the fact that DADA CREATION SRL did not implement adequate technical and organizational measures in order to ensure a level of security appropriate to the risk of processing, which led to the disclosure and unauthorized access to personal data of approximately 1091 individuals who had placed orders on the operator's website.

Also, the operator was sanctioned with a warning because he did not notify the Supervisory Authority of the security incident (which was brought to his attention by our institution), according to art. 33 of the General Data Protection Regulation.

At the same time, the corrective measure was applied to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, so as to avoid similar incidents of unauthorized disclosure of personal data processed.
Retrieved from "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_to_DADA_CREATION_S.R.L.&oldid=12804"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki