ANSPDCP (Romania) - Vodafone România SA
| ANSPDCP - Vodafone România SA | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 29 GDPR Article 32(1)(b) GDPR Article 32(2) GDPR Article 32(4) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 19.09.2022 |
| Fine: | 2,000 EUR |
| Parties: | Vodafone România SA |
| National Case Number/Name: | Vodafone România SA |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | Daniela Duta |
The Romanian DPA fined a telecommunications operator for failing to verify compliance with the caller identification procedure by its processors that allowed third parties to fraudulently purchase phones on behalf of the controller's customers.
English Summary
Facts
The Romanian DPA has completed an investigation at Vodafone Romania SA started as a result of the transmission by the controller of two security data breach notifications. During the investigation, ANSPDCP found that the controller failed to check the procedure applicable for verifying the caller identification by the processors.
This situation allowed third parties to access data from contracts concluded by customers with the controller and data from personal My Vodafone accounts, such as: name, surname, address, personal identification number, contact phone number, PUK code, contact number of the account holder, the SIM series of the original card, the amount of the last unpaid bill and the data traffic.
Holding
The Romanian DPA completed an investigation at Vodafone Romania SA and found a violation of the provisions of Article 29 GDPR, Article 32(1)(b) GDPR, Article 32(2) GDPR, Article 32(4) GDPR Consequently, the DPA fined the controller €2,000.
The telecom operator failed to adopt sufficient guarantees to ensure that any individual acting on behalf of the controller having access to personal data only processes them upon the instructions of the controller and failed to implement adequate technical and organizational measures to ensure an adequate level of protection.
Comment
This summary is based on a press release of the Romanian DPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
19.09.2022 A new penalty for breaching GDPR The National Supervisory Authority completed an investigation at the Vodafone Romania SA operator and found a violation of the provisions of art. 29 and art. 32 para. (1) lit. b), paragraph (2) and para. (4) of the General Data Protection Regulation. The Vodafone Romania SA operator was fined 9,890.8 lei (the equivalent of 2000 EURO). The investigation was started as a result of the transmission by the operator of two notifications of a breach of the security of personal data under the General Data Protection Regulation. During the investigation, it was found that the operator Vodafone Romania SA did not check compliance with the caller identification procedure by its representatives, which allowed third parties to fraudulently purchase new phones on behalf of some of the operator's customers. Also, this situation allowed third parties to access data from contracts concluded by customers with the operator and data from My Vodafone personal accounts, such as: name, first name, address, personal code, contact phone number, PUK code, the contact number of the account holder, the SIM series of the original card, the amount of the last unpaid bill and the data traffic. At the same time, the National Supervisory Authority found that Vodafone Romania SA did not adopt sufficient measures to ensure that any natural person who acts under the authority of the operator and who has access to personal data only processes them at the request of the operator and did not implement appropriate technical and organizational measures to ensure a level of confidentiality and security corresponding to the risk of processing. As such, the operator Vodafone Romania SA was fined for violating the provisions of art. 29 and art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation. Legal and Communication Department A.N.S.P.D.C.P.
