ANSPDCP (Romania) - 12.01.2023
| ANSPDCP - Press Communication 12/01/2023 | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1)(b) GDPR Article 32(2) GDPR Article 33 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 12.01.2023 |
| Fine: | 9,828 RON |
| Parties: | Bristol Logistics SA |
| National Case Number/Name: | Press Communication 12/01/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | Romanian DPA (in RO) |
| Initial Contributor: | n/a |
The Romanian DPA imposed a fine of ca. €2,000 on a logistics company for failing to implement adequate security measures (Article 32 GDPR) to safeguard its employees' personal data against a data breach by a bookshelf theft.
English Summary
Facts
On an unspecified date, a logistics firm (controller) notified the Romanian DPA of two data breaches in line with Article 33 GDPR. Following the notifications, the DPA launched an investigation which concluded that the security breaches were caused by the theft of a bookshelf containing the files of 12 employees. The theft allowed unauthorised third parties access the personal data contained therein. The breach occurred on 3 June 2021 and included data concerning contact information, academic and professional training, employment details, information on tax deductions and dependents, and employees' health status. The DPA concluded the investigation in December 2022.
Holding
The DPA held that the controller did not implement appropriate technical and organisational measures in order to ensure a level of security corresponding to the processing risk generated in particular by the destruction, loss, modification, unauthorised disclosure or unauthorised access to personal data. Hence, the controller violated Articles 32(1)(b) and 32(2) GDPR.
Pursuant to its Article 58(2) GDPR statutory powers, the DPA ordered the controller to implement corrective measures and to review and update the technical and organisational measures implemented as a result of the risk assessment, including the work procedures related to the protection of personal data, as well as to carry out a training for all individuals authorised to process personal data.
The DPA fined the controller 9,828.00 lei (ca. €2000) for its violation.
Comment
Unfortunately, the Romanian DPA is only publishing abridged Press Releases and not full decisions.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
12.01.2023 Penalty for GDPR violation The National Supervisory Authority completed an investigation at BRISTOL LOGISTICS SA in December 2022 and found a violation of the provisions of art. 32 para. (1) lit. b) and para. (2) from Regulation (EU) no. 2016/679. As such, the operator BRISTOL LOGISTICS SA was fined 9,828.00 lei (equivalent to 2000 EURO) for contravention. The investigation was started as a result of the transmission by the operator of two data security breach notifications, based on the provisions of art. 33 of Regulation (EU) 2016/679. During the investigation, it was found that the security breach incident consisted in the theft of a biblioraft containing the personnel files of 12 employees, which led to the access of personal data by unauthorized persons. As such, it was held that the operator Bristol Logistics SA did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of processing generated in particular, accidentally or illegally, by destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data, on 03.06.2021, personal data being accessed without authorization (contact/identification data, academic and professional training, employment details, information on tax deductions and dependents, qualification labor medicine). At the same time, under the provisions of art. 58 para. (2) of Regulation (EU) 2016/679, the operator was ordered and the corrective measure to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the work procedures related to the protection of personal data personal, as well as carrying out a training for the persons authorized to process data on the risks and consequences that the disclosure of personal data implies. Legal and Communication Department A.N.S.P.D.C.P
