ANSPDCP (Romania) - Press Release 04/01/2023
|ANSPDCP - Press Release 04/01/2023|
|Relevant Law:||Article 32(1)(b) GDPR|
Article 32(2) GDPR
Article 32(4) GDPR
|National Case Number/Name:||Press Release 04/01/2023|
|European Case Law Identifier:||n/a|
|Original Source:||Romanian DPA (in RO)|
The Romanian DPA fined a controller €3000 for publishing the email addresses of a significant number of data subjects by putting the addresses in the "To" section instead of the "BBC" section while sending an email.
English Summary[edit | edit source]
Facts[edit | edit source]
At an unspecified time, the controller, a Romanian water supplier, incurred a data security breach by erroneously putting data subjects' email addresses in the "To" section instead of the "BCC" section of its email client before sending off an email. The controller subsequently notified the breach to the Romanian DPA, prompting it to launch an investigation. The investigation concluded in December 2022.
Holding[edit | edit source]
The DSA's investigation found that the breach led to the unauthorized disclosure of the email addresses of a significant number of data subjects. In its assessment, the DPA argued that the controller did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to its processing risk.
Consequently, the DSA held that the controller's conduct constituted a violation of Article 32 GDPR, the "Security of processing". More specifically, the controller violated Article 32(1)(b), 32(2), and 32(4) GDPR.
For its breaches of the GDPR, the controller was fined 14,757.60 RON (the equivalent to €3000) by the DSA.
Comment[edit | edit source]
Unfortunately, at the time of writing, the Romanian DPA did not publish its full decision. The above summary is based on a press release.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
04.01.2023 Penalty for GDPR violation In December 2022, the National Supervisory Authority completed an investigation at the operator Water Canal Ilfov SA and found a violation of the provisions of art. 32 para. (1) lit. b), art. 32 para. (2) and and art. 32 para. (4) of Regulation (EU) 2016/679. As such, the operator was fined 14,757.60 RON (equivalent to 3000 EURO). The investigation was started as a result of a data security breach notification that was sent by the operator Apă Canal Ilfov SA. During the investigation, it was found that the violation of data processing security occurred as a result of the fact that, in order to send an electronic message to the users registered on the company's online portal, the operator erroneously entered the e-mail addresses in the "To" section, in instead of "BCC". As a result, it turned out that this breach led to the unauthorized disclosure or unauthorized access to personal data (e-mail address), so that a significant number of individuals were affected. It was found that the operator Apa Canal Ilfov SA did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk. Legal and Communication Department A.N.S.P.D.C.P