ANSPDCP (Romania) - Fine against Proleasing Motors SRL
|ANSPDCP - Fine against Proleasing Motors SRL
|Article 32(1) GDPR
Article 32(2) GDPR
Article 58(2)(d) GDPR
|Proleasing Motors SRL
|National Case Number/Name:
|Fine against Proleasing Motors SRL
|European Case Law Identifier:
|ANSPDCP (in RO)
The Romanian DPA (ANSPDCP) fined leasing company €15,000 for violation of Article 32(1) and (2) GDPR after investigating a data breach reported by the company, where the personal data of 436 customers was exposed.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller ran an online contest on Facebook to attract customers. There, a document was posted which led to unauthorized viewing and access to the personal data of 436 customers of the controller on its website and to unauthorized disclosure of this data, contrary to the obligations provided for in Article 32 GDPR.
The controller notified the DPA of the data breach.
Dispute[edit | edit source]
Holding[edit | edit source]
Following an investigation, the DPA found that the controller did not implement adequate technical and organizational measures as it had to.
In addition to the fine, the DPA imposed the corrective measure to review and update the technical and organizational measures implemented so that they are up to the GDPR standards.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
The National Supervisory Authority completed on 23.06.2020 an investigation at the operator Proleasing Motors SRL and found the violation of the provisions of art. 32 para. (1) and (2) of the General Data Protection Regulation. The operator Proleasing Motors SRL was sanctioned with a fine in the amount of 72,642 lei, the equivalent of 15,000 EURO. The investigation was initiated following the submission by the controller of a notification of personal data breach, by completing the specific form established under the General Data Protection Regulation. The security breach consisted in the fact that, on the Facebook page on which the operator carried out an online contest to attract customers participating in the car service, a document was posted with a screenshot of the source code of the website in which the access password to the forms filled in by the contest participants was also included. This situation led to the unauthorized viewing and access to the personal data of a number of 436 customers of the operator, on the website of Proleasing Motors SRL, and to the unauthorized disclosure of these data, contrary to the obligations provided by art. 32 of the General Regulation on Data Protection. As such, the sanction was applied to the operator due to the fact that he did not implement adequate technical and organizational measures in order to ensure a level of security appropriate to the risk of processing for the rights and freedoms of individuals, generated in particular accidentally or illegally by destruction, loss, modification, unauthorized disclosure of personal data transmitted, stored or otherwise processed or unauthorized access to them. The corrective measure was also applied to the operator to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including electronic communications procedures, so as to avoid similar incidents of unauthorized disclosure. of the personal data processed, reported to art. 58 para. (2) lit. d) of the General Regulation on Data Protection. At the same time, we specify that, according to recital (75) of the General Regulation on Data Protection, “The risk to the rights and freedoms of individuals, presenting different degrees of probability of materiality and gravity, may be the result of processing personal data that could generate physical, material or moral damages, especially in cases where: processing may lead to discrimination, identity theft or fraud, financial loss, compromise of reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymization or to any other significant economic or social disadvantage; data subjects may be deprived of their rights and freedoms or prevented from exercising control over their personal data; the personal data processed are data that reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership; genetic data, health data or data on sexual life or criminal convictions and related offenses or security measures are processed; aspects of a personal nature are assessed, in particular the analysis or forecasting of aspects of workplace performance, economic situation, health, personal preferences or interests, reliability or behavior, location or travel, in order to create or personal profiles are used; personal data of vulnerable persons, especially children, are processed; or the processing involves a large volume of personal data and affects a large number of data subjects.