ANSPDCP - Fine against Lugera & Makler Broker S.R.L.

From GDPRhub
Revision as of 23:13, 25 April 2021 by DianaR (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against Lugera & Makler Broker S.R.L.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 29 GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Decided:
Published: 19.04.2021
Fine: 1500 EUR
Parties: Lugera & Makler Broker S.R.L.
Raiffeisen Bank SA
National Case Number/Name: Fine against Lugera & Makler Broker S.R.L.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a processor RON 7 331,85 (approx EUR 1 500) for not implementing appropriate measures to prevent data loss and for not processing data according to the instructions of the controller.

English Summary

Facts

The Romanian DPA started an investigation on Lugera & Makler Broker S.R.L. (a data processor), following a complaint of the controller Raiffeisen Bank SA. One of the processor's employees destroyed some personal data and consequently, the processor was not able to provide the controller with the required documents. This caused a security breach that affected 1508 data subjects.

Dispute

Holding

The DPA held that the processor did not take appropriate measures in order to make sure that any natural person acting under its authority who has access to personal data does not process them except on the controller's instructions. Additionally, the processor did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, especially to prevent data destruction.

As an effect, the processor has been fined RON 7 331,85 (approx EUR 1 500).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National DPA completed, in March, an investigation on the operator Lugera & Makler Broker S.R.L., finding the violation of the provisions of art. 29 and art. 32 para. (2) and (4) of the General Data Protection Regulation.

As such, the operator Lugera & Makler Broker S.R.L. was sanctioned with a fine in the amount of 7,331.85 RON (equivalent to the amount of 1500 EURO).

The investigation was initiated following a notification received from a natural person and a notification of data breach submitted by Raiffeisen Bank SA, from which it resulted that Lugera & Makler Broker S.R.L ( Raiffeisen Bank SA's processor) did not hand over to Raiffeisen Bank SA the documents related to the prescoring activities performed by one of its employees, on the grounds that they were destroyed.

During the investigation, the National DPA found that the operator Lugera & Makler Broker S.R.L. (Raiffeisen Bank SA' processor) has not taken measures to ensure that any natural person acting under his authority and who has access to personal data only processes them at his request and has not implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing generated in particular, accidental or illegal data destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or processed in another mode.

Also, as a result of the performance of 1372 prescoring by a sales agent, employee of Lugera & Makler Broker SRL, 1058 individuals concerned were affected by the security incident, as the original documentation related to the prescoring was not provided by the agent, but destroyed, which generated the security incident notified by Raiffeisen Bank to the DPA, thus violating the provisions of art. 29, art. 32 paragraphs (2) and (4) of the General Regulation on Data Protection.