ANSPDCP (Romania) - SUDREZIDENȚIAL Broker S.R.L.

From GDPRhub
Revision as of 21:39, 3 January 2023 by Dana.duta (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - SUDREZIDENȚIAL Broker S.R.L.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(4) GDPR
Article 34 GDPR
Article 4(5) Law no. 506/2004 on the processing of personal data and the protection of private life in the electronic communications sector
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 22.12.2022
Fine: 10,000 EUR
Parties: SUDREZIDENȚIAL Broker S.R.L.
National Case Number/Name: SUDREZIDENȚIAL Broker S.R.L.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Dana Duta

The Romanian DPA fined a controller €10,000 for their lack of security of data processing which lead to the unauthorized disclosure of at least 509 data subjects.

English Summary

Facts

During the investigation, the Romanian DPA found that the data controller did not take adequate organizational measures which led to unlawful disclosure of an Excel record containing the personal data (surname, surname, personal numeric code, telephone number, identity card number and serial number, e-mail address, bank details, real estate purchases, marital status, requested amount, bank, comments) of the data controller's customers and others natural persons (customers' life partners).

Holding

As a result of its investigation, the Romanian DPA found violation Article 32(4) GDPR, Article 34 GDPR and Article 4(5) Law no. 506/2004 on the processing of personal data and the protection of private life in the electronic communications sector. The DPA found that the data controller - did not adopt sufficient measures, under Article 32(4) GDPR, to ensure that any natural person acting under its authority and who has access to personal data does not process it except at its request, which led to the unlawful disclosure of the personal data of at least 509 data subjects, through their publication on a certain internet page. - did not inform the data subjects about this data breach, thus violating the provisions of Article 34 GDPR. - stored information about cookie modules without obtaining the consent of the users, and without providing them with clear and complete information according to Article 12 – 14 GDPR. The DPA fined the controller €10,000 for this data breach.

Comment

This summary is based on a press release of the Romanian DPA.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

22.12.2022

A new penalty for breaching GDPR



In November of this year, the National Supervisory Authority completed an investigation at the operator SUDREZIDENțIAL Broker S.R.L. in which he found the violation of the provisions of art. 32 para. (4) and art. 34 of the General Data Protection Regulation (RGPD), as well as the violation of art. 4 para. (5) from Law no. 506/2004 on the processing of personal data and the protection of private life in the electronic communications sector.

As such, the company SUDREZIDENțIAL Broker S.R.L. was penalized as follows:

fine in the amount of 49,418 lei, the equivalent of 10,000 EURO, for violating the provisions of art. 32 para. (4) from GDPR; warning for violating the provisions of art. 34 of the GDPR; warning for violating the provisions of art. 4 para. (5) from Law no. 506/2004

During the investigation, it was found that the operator SUDREZIDENțIAL Broker S.R.L. did not take adequate measures to ensure that any natural person acting under its authority and who has access to personal data does not process it except at its request, which led to the preparation of an Excel record containing the data with personal data (surname, surname, personal numerical code, telephone number, identity card number and serial number, e-mail address, bank details, real estate purchases, marital status, requested amount, bank, comments) of the operator's customers and others natural persons (customers' life partners).

This situation led to the unauthorized disclosure to the general public of the personal data of at least 509 data subjects, clients of the operator, through their publication by the company's administrator on a certain internet page.

It was also found that the operator did not inform the persons concerned about this violation of the security of personal data, thus violating the provisions of art. 34 of the GDPR.

At the same time, it was found that the company Sudrezidencial Broker S.R.L. stored information (cookie modules that were not technically necessary in the operation of the operator's website) without obtaining the consent of the users, natural persons, and without providing them with clear and complete information according to art. 12 - 14 of the GDPR, violating the provisions of art. 4 para. (5) from Law no. 506/2004 on the processing of personal data and the protection of private life in the electronic communications sector, amended and supplemented.

In this context, we specify that art. 4 para. (5) from Law no. 506/2004 provides the following:

"Storing information or obtaining access to the information stored in the terminal equipment of a subscriber or user is allowed only with the cumulative fulfillment of the following conditions:

a) the subscriber or user in question has expressed his consent;

b) the subscriber or user in question were provided, prior to the expression of agreement, in accordance with the provisions of art. 12 of Law no. 677/2001, with subsequent amendments and additions, clear and complete information that:

(i) to be presented in an easy-to-understand language and to be easily accessible to the subscriber or user;

(ii) to include mentions regarding the purpose of processing the information stored by the subscriber or user or the information to which he has access. (…)"



Legal and Communication Department

A.N.S.P.D.C.P.