ANSPDCP (Romania) - Omniasig Vienna Insurance Group S.A.
| ANSPDCP - Omniasig Vienna Insurance Group S.A. | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1) GDPR Article 32(2) GDPR Article 32(4) GDPR Article 33 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 06.02.2025 |
| Fine: | 14,931 RON |
| Parties: | Omniasig Vienna Insurance Group S.A. |
| National Case Number/Name: | Omniasig Vienna Insurance Group S.A. |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO) |
| Initial Contributor: | elu |
The DPA fined an insurance company RON 14,931 (€3,000), after one of their employees accessed unauthorized personal data of their clients, the data subjects, to request compensation for non-existent events and collect reimbursements.
English Summary
Facts
The controller, an insurance company, notified the DPA of a personal data breach, as per Article 33 GDPR.
The personal data breach concerned an employee of the controller who received undue sums of money through compensation requests for non-existent events, by using the identity of some clients of the controller.
The DPA started an investigation, which revealed that the employee of the controller accessed unauthorized personal data, such as: name, surname, home address, person’s image, personal numeric code, number and series of identity card, medical data, financial data of the data subjects.
Holding
The DPA held that the controller did not implement technical and organisational measures under Article 32(1), (2) and (4) GDPR, to ensure a level of security appropriate to the risk of processing, including the ability to ensure integrity, to ensure the security of the processing.
Moreover, the controller did not take appropriate measures to ensure that any natural person acting under the authority of the controller or processor and with access to personal data only processes it at the request of the controller.
At the same time, the corrective measure of establishing an inspection/audit plan at the level of the person empowered by the operator was ordered to comply with the operator, so as to avoid similar security incidents.
Thus, the controller violated Article 32(1), (2) and (4) GDPR. In light of these violations, the DPA deemed it appropriate to fine the controller RON 14,931 (€3,000).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
06.02.2025 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the operator Omniasig Vienna Insurance Group S.A. and found a violation of the provisions of art. 32 paragraph (4) in conjunction with art. 32 paragraph (1) and paragraph (2) of Regulation (EU) 2016/679. For the act committed, the operator was sanctioned with a fine in the amount of 14,931 lei, equivalent to the amount of 3,000 euros. The investigation was initiated following the transmission by the operator Omniasig Vienna Insurance Group S.A. of a notification of a personal data breach, according to the provisions of art. 33 of Regulation (EU) 2016/679. Thus, the operator notified that an employee of a processor (legal entity) with whom it collaborated, collected undue amounts by completing compensation claims for non-existent events, using the identity of clients, insured individuals. During the investigation, it was found that the employee of the processor, who had access to the operator's claim files, had unauthorized access to personal data, such as: name, surname, home address, image of the person, personal identification number, number and series of the identity card, medical data, financial data of the data subjects. In this context, the security breach occurred as a result of unauthorized access over a determined period of time to personal data belonging to a significant number of data subjects. Thus, it was found that the operator did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, including the ability to ensure integrity, to guarantee the security of the processing and did not take appropriate measures to ensure that any natural person acting under the authority of the operator or the person empowered by the operator and having access to personal data does not process them except at the request of the operator. At the same time, the corrective measure of establishing an inspection/audit plan at the level of the person empowered by the operator was ordered against the operator, so as to avoid similar security incidents. The operator paid the established contravention fine. Legal and Communication Department A.N.S.P.D.C.P
