ANSPDCP - Fine to DADA CREATION S.R.L.

From GDPRhub
ANSPDCP - Fine to DADA CREATION S.R.L.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Article 33(1) GDPR
Type: Investigation
Outcome: Violation Found
Decided:
Published: 24.11.2020
Fine: 5.000 EUR
Parties: n/a
National Case Number/Name: Fine to DADA CREATION S.R.L.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Stefan Musat

The Romanian DPA (ANSPDCP) fined an eCommerce company €5000 for making available on its website a document containing detailed records of transactions received by the site's customers.

English Summary[edit | edit source]

Facts[edit | edit source]

The Romanian DPA (ANSPDCP) received a complaint regarding the online availability of a document containing customers personal data. On the DADA CREATION S.R.L.'s website, the following personal data were made available: e-mail addresses, telephone numbers, first and last names of customers (adults and minors), age minors, delivery addresses, order number, total order amount, products ordered and date of order. Approximately 1091 individuals were affected.

Dispute[edit | edit source]

Does the controller implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing according to Article 32(1) GDPR?

Holding[edit | edit source]

The ANSPDCP found that the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, which led to the unauthorized disclosure and access to personal data of approximately 1091 individuals who had placed orders on the operator's website. In addition to the applied fine of EUR 5000, the Romanian DPA issued a warning for not notifying the security incident and also applied the corrective measure to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National Supervisory Authority completed an investigation at the operator DADA CREATION SRL and found the violation of the provisions of art. 32 para. (1) and (2) and art. 33 para. (1) of the General Data Protection Regulation. The operator DADA CREATION SRL was sanctioned as follows: 
- fine in the amount of 24,272.50 lei, the equivalent of 5,000 EURO, for violating the provisions of art. 32 para. (1) and (2) of the General Data Protection Regulation;
- warning for violation of art. 33 para. (1) of the General Data Protection Regulation.

The investigation was launched following a complaint alleging that through the operator's website was available a document on detailed records of transactions received by this site from its customers (individuals) containing e-mail addresses, numbers telephone number, name and surname of customers (adults and minors), age of minors, delivery addresses, order number, total order amount, products ordered and date of order. The breach of data security consisted in the fact that DADA CREATION SRL did not implement adequate technical and organizational measures in order to ensure a level of security appropriate to the risk of processing, which led to the disclosure and unauthorized access to personal data of approximately 1091 individuals who had placed orders on the operator's website.

Also, the operator was sanctioned with a warning because he did not notify the Supervisory Authority of the security incident (which was brought to his attention by our institution), according to art. 33 of the General Data Protection Regulation.

At the same time, the corrective measure was applied to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, so as to avoid similar incidents of unauthorized disclosure of personal data processed.