ANSPDCP (Romania) - Vodafone România SA 1

From GDPRhub
ANSPDCP - Vodafone România SA
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(d) GDPR
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 58(2)(d) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 11.02.2020
Published: 19.03.2020
Fine: 3000 EUR
Parties: Vodafone România SA
National Case Number/Name: Vodafone România SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: n/a

The ANSPDCP fined Vodafone România SA 3,000 € for failing to implement adequate technical and organisational measures when processing personal data, thus violating the principles of accuracy, integrity, confidentiality and accountability.

English Summary


The ANSPDCP carried out investigation against the Romanian telecommunication operator Vodafone România SA. The company transmitted personal data to inaccurate e-mail address while handling a data subject's complaint.


Did the controller processed personal data in line with the GDPR principles?


The ANSPDCP found that the company processed personal data without having implemented sufficient security measures. Thus it violated the principles of accuracy, integrity and confidentiality as laid down in Article 5(1)(d) and (f) GDPR read in conjunction with the principle of accountability according to Article 5(2) GDPR. The ANSPDCP imposed a fine of 14308.8 lei (equivalent to EUR. 3.000) and pursuant to Article 58(2)(d) GDPR it ordered the complany to put in place efficient technical and organisational measures within 30 days.


Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

On 11.02.2020, the National Supervisory Authority finalized an investigation at the operator of Vodafone Romania SA and found that it violated the principles of processing of personal data established by the provisions of art. 5 paragraph (1) lit. d) and f) corroborated with art. 5 paragraph (2) of the General Regulation on Data Protection.

The operator of Vodafone Romania SA was sanctioned contraventional with a fine in the amount of 14308.8 lei, the equivalent of 3,000 euros.

The sanction was applied to the operator because he mistakenly processed personal data of a natural person in order to solve his complaint, which subsequently determined the transmission of the operator's response to an incorrect e-mail address, not having taken sufficient security measures against the illegal processing of the data. personnel of the respective person, in violation of the processing principles provided by art. 5 paragraph (1) lit. d) and f) in conjunction with art. 5 paragraph (2) of the General Regulation on Data Protection.

At the same time, a corrective measure was applied to the operator of Vodafone Romania SA, according to the provisions of art. 58 paragraph (2) lit. d) of the General Regulation on Data Protection.

Thus, the operator was obliged to ensure compliance with the General Regulation on Data Protection of the operations for the collection and subsequent processing of personal data, by implementing efficient methods of respecting the accuracy of the data, including in the case of data collection, such as the e-mail address. In this regard, it was ordered to put in place adequate and efficient security measures from a technical and organizational point of view, including by regular training of persons processing data under the authority of the operator, within 30 days from the date of communication of the minutes. sanction.

In this context, we highlight the provisions of art. 5 paragraph (1) of the General Regulation on Data Protection, which provide that “personal data are:

d) accurate and, if necessary, updated; all necessary measures must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified without delay ("accuracy");

f) processed in a manner that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures ("integrity and confidentiality") . "

Also, art. 5 paragraph (2) of the Regulation provides that "The operator is responsible for compliance with paragraph 1 and can demonstrate this compliance (" responsibility ")".