ANSPDCP (Romania) - Sanatatea Press Group S.R.L.

From GDPRhub
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 12.08.2020
Published: 08.09.2020
Fine: 2000 EUR
Parties: Sanatatea Press Group S.R.L.
National Case Number/Name:
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Romanian
Original Source: ANSPDCP - Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO)
Initial Contributor: n/a

The Romanian DPA fined a data controller €2000 for transmitting the login data of 1300 data subjects to incorrect email addresses.

English Summary


In the context of an online event that it was organising, the data controller erroneously sent the login data of 1300 participants to other email addresses than the ones that the users had created their accounts with. The data breach led to the unauthorised disclosure of the names and email addresses of the data subjects.


The data controller notified the ANSPDCP of the data breach, which triggered the DPA's investigation. Therefore, there was no dispute with regards to the presence of a security incident.


The DPA held that the controller had breached its obligations under Articles 5(1)(f), as well as 32(1) and (2). As a consequence, the ANSPDCP issued an administrative fine of €2000 against Sanatatea Press Group S.R.L.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

On 12.08.2020, the National Supervisory Authority completed an investigation at the operator Sanatatea Press Group SRL and found the violation of the personal data security measures established by the provisions of art. 32 para. (1) and (2) in conjunction with art. 5 para. (1) lit. f) of the General Regulation on Data Protection.

The operator Sanatatea Press Group SRL was sanctioned with a fine of 9,671.40 lei, the equivalent of 2,000 EURO.

The investigation was initiated following the submission by the controller of a notification of a personal data breach.

The breach of data security consisted in the fact that, during the organization of an online event by Sanatatea Press Group SRL, the login data of some persons were erroneously transmitted to other e-mail addresses than those with which they had created an account on the platform. operator electronics.

This situation led to the disclosure and unauthorized access to the data of other participants in the event (e-mail addresses, usernames), with effects for a number of 1300 users of the operator's platform. 

In this context, we specify that according to art. 5 para. (1) lit. f) of the General Data Protection Regulation, the controller has the obligation to process the data “in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures ("integrity and confidentiality").