ANSPDCP - Natural Person

From GDPRhub
Revision as of 09:02, 10 March 2021 by Mh (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Natural Person
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Decided: 16.02.2021
Published: 04.03.2021
Fine: 500 EUR
Parties: Natural Person
National Case Number/Name: Natural Person
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: n/a

The Romanian DPA (ANSPDCP) imposed a fine of €500 on a natural person who held the office of Secretary-General in a subsidiary branch of a political party in the City of Bucharest for publishing the personal data of 10 individuals on their website. This breached Articles 5(1)(f) and 32 GDPR.

English Summary

Facts

The Romanian DPA (ANSPDCP) started an investigation after receiving a complaint against an individual who held the office of Secretary-General in a subsidiary branch of a political party in the City of Bucharest.

The complainant filed the complaint based on the fact that the defendant's social networking site published a list of 10 supporters for the mayoral election in Bucharest. This list disclosed the personal data of these supporters, including their name, number of their identity document, nationality, address, political choice and signature.

Dispute

Is disclosing the personal data of supporters of a political party an infringement of Article 32 GDPR in conjunction with Article 5(1)(f) GDPR?

Holding

The Romanian DPA (ANSPDCP) found that the controller violated Article 32 GDPR as they had not implemented appropriate technical and organisational measures to ensure a level of security necessary for the processing of personal data. By disclosing the personal data of 10 individuals, the DPA found that the controller failed to comply with the associated principle of "integrity and confidentiality" (Article 5(1)(f) GDPR).

The DPA imposed a corrective measure against the controller , ordering it to erase the personal data revealed on their website. Similarly, the DPA imposed a fine of approximately 500 EUR against the controller.

Comment

It is interesting that the DPA did not find that there was no legality for processing the personal data. As the political opinion of the individuals was revealed through this processing, this may entail a breach of Article 9 GDPR (Processing of Special Categories of Personal Data).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

Penalty for breach of the GDPR is applied to a person's natural

 

The National Supervisory authority finalised at the time of the 16.02.2021 an investigation into a person, that owns, at the same time, the office of the Secretary-General, in the context of a branch of the district of the City of Bucharest, a political party, and has found a violation of the provisions of art. 32, par. (1) and (2) the provisions of art. 58, par. (1) a) and e) of the General Data Protection Regulation .

The natural person, as an operator, he was sanctioned administrative fines in the amount of ron 2,437. 35 usd (or the equivalent in ron of EUR 500).

An investigation has been launched as a result of the receipt of a complaint that was filed to the fact that on a social networking site, the home page of the individuals who held the office of the Secretary-General, in the context of a subsidiary district of a political party, there is a list of the 10 places with the guests signing/supporters for the election of the General Council, and the Mayor of the Municipality of Bucharest, in which the personal data of these to be available, as disclosed his name, and the name, signature, nationality, date of birth, the address of and number of the identity document, the political choice of the persons signatory to/of the supporters.

In the course of the investigation, the National Supervisory Authority has determined that the operator, contrary to the obligations laid down in art. 32 of the GDPR, it has not implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the processing for the rights and freedoms of natural persons, which has led to the disclosure to the general public, and unauthorized access to the personal data of a total of 10 individuals of the targeted support of a candidate in the local elections of November 2020, although, according to art. 5, let. f) of the GDPR, to have the obligation to comply with the principle of integrity and confidentiality”.

Thus, the operator has been sanctioned for the violation of the provisions of art. 32 of the GDPR regarding the security of the processing.

At the same time, the operator has been sanctioned for the act provided for by art. 83. (5) of Regulation (EU) 679/2016, as reported in the article. 58, par. (1) a) and to the point. e) in conjunction with art. 8 of the G. O. no. 2/2001 as I responded to the demands of the National Authority for the Supervision of the Processing of your Personal data.

The authority has applied to the controller, and the corrective action taken by the deletion of the data is revealed through a post on your personal page on a social networking site, a list of the persons subscribing/supporting for the election of the General Council, and the Mayor of the Municipality of Bucharest, romania.

In agreement with the above in recital (39) states that ”(...) personal Data should be processed in a manner that ensures the appropriate security and privacy, including for the purpose of preventing the unauthorized access to, or unauthorised use of personal data and the equipment used for the processing.”

At the same time point (83) states: ”In order to maintain security and to prevent processing in infringement of this regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the current stage of development, and the costs of implementation in relation to the risks and the nature of the personal data to be protected. The assessment of the risk to the security of your personal data, you have to pay attention to the risk posed by the processing of the data, such as destruction, loss, alteration, unauthorised disclosure of or unauthorised access to, personal data transmitted, stored or processed in any other way, to the accidental or unlawful, that can lead, in particular, to the prejudice of the physical, material or non-material.”