ANSPDCP - Fine against Telekom Romania mobile communications S.A. 2

From GDPRhub
ANSPDCP - Fine against Telekom Romania mobile communications S.A. 2
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Article 3(1), Article 3(3) a) and b) Law 506/2004
Type: Investigation
Outcome: Violation Found
Decided:
Published: 30.03.2021
Fine: 63748 RON
Parties: Telekom Romania mobile communications S.A.
National Case Number/Name: Fine against Telekom Romania mobile communications S.A. 2
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: dataprotection.ro (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA found that Telekom Romania did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, which led to a data breach, affecting 99,623 data subjects, and imposed a fine of €13,000.

English Summary[edit | edit source]

Facts[edit | edit source]

Billing information of the affected data subjects was wrongfully entered into a database and sent to a third party. In addition, the controller did not implement appropriate measures in order to prevent unauthorised access to data stored in the personal accounts of data subjects.

Dispute[edit | edit source]

Holding[edit | edit source]

The DPA fined and applied additional corrective measures to Telekom Romania for failing to implement appropriate technical and organisational measures to ensure an appropriate level of security. The failure resulted in a data breach and unauthorised access to the data.

The infringement of Article 32 of the GDPR led to a €10,000 fine (RON 48,748). The infringement of Article 3 of Law 506/2004 led to a fine of €3,000 (RON 15,000).

Comment[edit | edit source]

This is the second investigation in the last year that resulted in a fine against Telekom Romania for the violation of Article 32.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National Supervisory Authority completed in February 2021 an investigation against the controller TELEKOM ROMANIA MOBILE COMMUNICATIONS S.A. and found a violation of the provisions of art. 32 para. (1) and para. (2) of the General Regulation on Data Protection and violation of the provisions of art. 3 para. (1) and para. (3) lit. a) and letter b) of Law no. 506/2004, amended and supplemented.

As such, the controller TELEKOM ROMANIA MOBILE COMMUNICATIONS S.A. was sanctioned for minor offenses:

with a fine in the amount of 48,748.00 lei (the equivalent of 10,000 EURO), for violating art. 32 para. (1) and para. (2) of the General Data Protection Regulation;
with a fine in the amount of 15,000 lei, for committing the contravention provided by art. 13 para. (1) lit. a) of Law no. 506/2004
The investigation found that the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, which led to unauthorized disclosure and/or unauthorized access to personal data, such as: customer ID, code customer, name and surname, CNP, date of birth, sex, telephone number, e-mail, address (country, city, street), the amount of debts associated with the customer code of a number of 99,210 persons / customers. Thus, their billing addresses were erroneously entered in the database with individual customers, sent to a contractual partner on the basis of a debt assignment contract, which led to the sending to the wrong addresses of notifications sent to customers.

It was also found that the controller did not take adequate technical and organizational measures to ensure the security of the processing of personal data, likely to protect personal data stored or transmitted against illicit storage, processing, access or disclosure, which led to unauthorized access to personal data in MyAccount accounts (account holder name; date of birth; phone numbers used; home address; email address; subscriber code; contracted services; active extra options on account; simple invoice history) of a number of 413 targeted persons / Telekom Romania customers. We emphasize that the controller had the obligation to guarantee that personal data can be accessed only by authorized persons, for the purposes mentioned by law, thus violating the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, amended and supplemented.

The provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. Regulation (EC) No 506/2004, as amended and supplemented, provides:

 "1. The provider of an electronic communications service intended for the public has the obligation to take appropriate technical and organizational measures in order to ensure the security of the processing of personal data. If necessary, the provider of the electronic communications service intended for the public shall take these measures together with the provider of the public electronic communications network. "

”(3) Without prejudice to the provisions of Law no. 677/2001, with the subsequent amendments and completions, the measures adopted according to par. (1) must meet at least the following conditions:

a) to guarantee that personal data may be accessed only by authorized persons, for the purposes authorized by law;

b) to protect personal data stored or transmitted against accidental or unlawful destruction, against accidental loss or damage and against unlawful storage, processing, access or disclosure. "

Corrective measures were also applied to the controller consisting of:

reviewing and updating the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including procedures relating to electronic communications;
implementation of a process for testing, evaluation and periodic assessment of the effectiveness of technical and organizational measures to ensure the security of processing, according to the provisions of the RGPD.

In this context, we remind that art. V alin. (2) of Law no. 129/2018 stipulates that “All references to Law no. 677/2001, with the subsequent amendments and completions, of the normative acts are interpreted as references to the General Regulation on data protection and to the legislation of its implementation. ”