ANSPDCP (Romania) - Fine to Farmacia Ardealul SRL

From GDPRhub
ANSPDCP - Fine to Farmacia Ardealul SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 27.06.2023
Fine: 2,500 EUR
Parties: n/a
National Case Number/Name: Fine to Farmacia Ardealul SRL
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: carlafilip

The Romanian DPA fined Farmacia Ardealul SRL €2,500 after suffering a malware attack, for failing to ensure adequate technical and organisational measures in compliance with Article 32 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

Farmacia Ardealul (controller) is a pharmacy that also operates a website for the online sale of its products.

The controller was victim of a malware attack where an unauthorised program was installed on the company's website and thus a fictious form for collecting bank data was displayed to custom-ers when purchasing goods online. This situation led to the breach of confidentiality of personal data (bank data) of a significant number of customers.

The company notified the data breach to the DPA, which then opened an investigation.

Holding[edit | edit source]

The DPA found that the controller had violated Article 32(1)(b), (d) and 32(2) GDPR because they had not implemented adequate technical and organizational measures to ensure a sufficient level of security corresponding to the risk presented by the processing (such as, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems, and implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing).

Therefore, the DPA sanctioned the controller with a fine in amount of RON 12,424 (approximately €2,500). At the same time, the DPA imposed a corrective measure based on Article 58(2)(d) GDPR and ordered the controller to implement a process for regularly testing, scanning, evaluating and periodically assessing the security of the controller's IT systems, including its website.

Comment[edit | edit source]

Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

27.06.2023

A new penalty for breaching GDPR



In May of this year, the National Supervisory Authority completed an investigation at the operator Farmacia Ardealul SRL in which it found a violation of the provisions of art. 32 para. (1) lit. b) and d) and para. (2) of the General Data Protection Regulation.

As such, the company Farmacia Ardealul SRL was fined 12,424 lei, the equivalent of 2,500 EURO.

The investigation was started as a result of the transmission by the operator of a notification of breach of the security of personal data under the General Data Protection Regulation.

During the investigation, it was found that the data processing security breach occurred through the unauthorized installation of a malware program on the operator's website.

This situation led to the violation of the confidentiality of personal data (bank data) of a significant number of customers as a result of the unauthorized installation of a fictitious form for collecting bank data on the operator's website.

Thus, the operator Farmacia Ardealul SRL was fined for violating the provisions of art. 32 para. (1) lit. b) and d) and para. (2) of the General Regulation on Data Protection, as it did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk presented by the processing.

At the same time, the operator was also given the corrective measure to implement a plan that would include a mechanism for testing, scanning, evaluating and periodically assessing the security of all IT systems of the operator, including its website.

Legal and Communication Department

A.N.S.P.D.C.P.