ANSPDCP (Romania) - Vodafone România SA

From GDPRhub
ANSPDCP - Vodafone România SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 29 GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 19.09.2022
Fine: 2,000 EUR
Parties: Vodafone România SA
National Case Number/Name: Vodafone România SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Daniela Duta

A Romanian telecommunications operator suffered data breaches due to their lacking security procedure in verifying callers' identities. Consequently, the Romanian DPA fined it €2,000 for violating Article 29 GDPR and Article 32 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The company Vodafone Romania SA, the data controller, notified the Romanian DPA of two personal data breaches. In its subsequent investigation, the DPA found that the data controller failed to comply with the applicable procedure to ensure that its processors adequately verify the identity of callers. Third parties were able to fraudulently purchase new phones on behalf of some of the data controller's customers and acquired access to their personal data, such as: name, surname, address, personal identification number, contact phone number, PUK code, contact number of the account holder, the SIM series of the original card, the amount of the last unpaid bill, and the data traffic.

The DPA found that the data controller did not adopt sufficient measures to ensure that any natural persons acting under its authority and who have access to the personal data of its costumers only process the personal data under its requests. The data controller lacked appropriate technical and organizational measures to ensure that its personal data processing had an appropriate level of confidentiality and security.

Holding[edit | edit source]

As a result of its investigation, the Romanian DPA found that the company Vodafone Romania SA, the data controller, violation Article 29 GDPR, Article 32(1)(b) GDPR, Article 32(2) GDPR, Article 32(4) GDPR The DPA fined the data controller €2,000.

Comment[edit | edit source]

This summary is based on a press release of the Romanian DPA.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

19.09.2022

A new penalty for breaching GDPR



The National Supervisory Authority completed an investigation at the Vodafone Romania SA operator and found a violation of the provisions of art. 29 and art. 32 para. (1) lit. b), paragraph (2) and para. (4) of the General Data Protection Regulation.

The Vodafone Romania SA operator was fined 9,890.8 lei (the equivalent of 2000 EURO).

The investigation was started as a result of the transmission by the operator of two notifications of a breach of the security of personal data under the General Data Protection Regulation.

During the investigation, it was found that the operator Vodafone Romania SA did not check compliance with the caller identification procedure by its representatives, which allowed third parties to fraudulently purchase new phones on behalf of some of the operator's customers.

Also, this situation allowed third parties to access data from contracts concluded by customers with the operator and data from My Vodafone personal accounts, such as: name, first name, address, personal code, contact phone number, PUK code, the contact number of the account holder, the SIM series of the original card, the amount of the last unpaid bill and the data traffic.

At the same time, the National Supervisory Authority found that Vodafone Romania SA did not adopt sufficient measures to ensure that any natural person who acts under the authority of the operator and who has access to personal data only processes them at the request of the operator and did not implement appropriate technical and organizational measures to ensure a level of confidentiality and security corresponding to the risk of processing.

As such, the operator Vodafone Romania SA was fined for violating the provisions of art. 29 and art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation.



Legal and Communication Department

A.N.S.P.D.C.P.