ANSPDCP (Romania) - Valoris Center S.R.L.
|ANSPDCP (Romania) - Fine against Valoris Center S.R.L.|
|Relevant Law:||Article 29 GDPR|
Article 32(1)(b) GDPR
Article 32(4) GDPR
Article 33 GDPR
Valoris Center S.R.L.
|National Case Number/Name:||Fine against Valoris Center S.R.L.|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
|Initial Contributor:||Giel Ritzen|
The Romanian DPA fined a call centre €2000 (RON 9898) for not taking adequate measures to ensure that personal data was not being processed without authorisation of the controller.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller is a bank that, inter alia, provides internet banking services. The processor is Valoris Center S.R.L., a company that provides call center services on behalf of the bank. In their communication with a customer of the bank, an employee of Valoris had, by mistake, attached an excel file containing personal data of the controller’s customers who used the internet banking service. Hence, pursuant to Article 33 GDPR, the controller notified the Romanian DPA of a personal data breach.
In the course of the investigation, the DPA found that this breach led to the unauthorised disclosure and access to personal data. The excel file contained e-mail addresses, user names, user ID’s, telephone numbers, customer names, customer codes, customer PIN’s, of the bank’s customers. In total, 11,169 natural persons were affected by the incident.
Holding[edit | edit source]
The DPA held that Valoris did not fulfill its obligations laid down in Article 29, Article 32(1)(b), and Article 32(4) GDPR. Even if the employee of Valoris was not allowed to share the personal data with the customer, this data breach could only occur because of Valoris negligence. In particular, the processor had not taken adequate measures to ensure that any natural person acting under its authority could have limited access to the personal data. Hence, the security of processing was not guaranteed, ultimately leading to a personal data breach.
The DPA considered the different aspects of the case, such as the amount of data subjects involved, the categories of personal data, and decided to impose a fine of 9898 Leu (the equivalent of €2,000) on Valoris.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
26.11.2021 & # 13; RGPD & # 13; & # 13; The National Supervisory Authority completed in October 2021 an investigation at the operator Valoris Center S.R.L. as a result of which the violation of the provisions of art. 29, art. 32 para. (1) lit. b) and para. (4) of the General Data Protection Regulation. & # 13; As such, the operator was sanctioned with a fine of 9,898.00 lei (equivalent to 2,000 EURO). & # 13; The investigation was initiated as a result of a notification of personal data breach that was transmitted by an operator, based on the provisions of art. 33 of the General Data Protection Regulation. & # 13; According to those mentioned in the notification form, the violation of the security of personal data processing occurred as a result of the fact that a call center employee of Valoris Center S.R.L. (person authorized by the operator) attached, by mistake, to an operator's client, an excel file containing the data of the respective operator's customers who have the Internet Banking service. & # 13; In the course of the investigation, it was found that this breach led to unauthorized disclosure or unauthorized access to certain personal data, such as e-mail address, username, user CNP, telephone number, customer name, customer code, The client's PIN, being affected by the incident a number of 11169 individuals targeted. & # 13; Considering these aspects, it was established that Valoris Center S.R.L., as the person empowered by the operator, related to the provisions of art. 29 and 32 of the General Data Protection Regulation, has not taken appropriate measures to ensure that any natural person acting under his authority and having access to personal data only processes them at his request. & # 13; & # 13; Legal and Communication Department & # 13; A.N.S.P.D.C.P.