ANSPDCP - Qualitance QBS SA

From GDPRhub
ANSPDCP - Qualitance QBS SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Decided: n/a
Published: 29.12.2020 [[Category:]]
Fine: 1000 EUR
Parties: Qualitance QBS SA
National Case Number/Name: Qualitance QBS SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Stefan Musat

The Romanian DPA (ANSPDCP) imposed a €1000 fine on Qualitance QBS SA for disclosing 295 e-mail addresses to other recipients.

English Summary[edit | edit source]

Facts[edit | edit source]

The Romanian DPA (ANSPDCP) received many complaints regarding the fact that the controller sent information by e-mail to 295 persons revealing the e-mail addresses of the other recipients. The data subjects were candidates who provided their personal data for recruitment on the operator's website or through online applications.

Dispute[edit | edit source]

Does sending information by e-mail to a group of persons and revealing the e-mail addresses of the other recipients lead to a violation of the GDPR?

Holding[edit | edit source]

The ANSPDCP found that the controller did not implement sufficient security measures to ensure the confidentiality of the personal data of data subjects, which led to the disclosure of e-mail addresses belonging to a number of 295 persons to other recipients, breaching the provisions of Article 32 GDPR.

In addition to the applied fine of €1000, the Romanian DPA applied the corrective measure of implementing appropriate technical and organizational measures in the case of remote transmission of personal data, including regular training of the persons that process personal data under the controller's authority (employees or collaborators).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National Supervisory Authority completed an investigation at the operator Qualitance QBS SA and found the violation of the provisions of art. 32 of the General Data Protection Regulation. 
The operator Qualitance QBS SA was sanctioned with a fine in the amount of 4,867.50 lei (equivalent to 1,000 EURO). 
The investigation was initiated following the receipt of complaints claiming that the operator had sent an e-mail to 295 persons (candidates who provided their personal data for recruitment on the operator's website or through online applications line), thus revealing the e-mail addresses of the other recipients. During the investigation, the National Supervisory Authority found that the operator did not implement sufficient security measures to ensure the confidentiality of the personal data of data subjects, which led to the disclosure of e-mail addresses belonging to 295 persons to other recipients, contrary to the obligations provided by art. 32 of the RGPD. In this sense, art. 32 also stipulates the obligation of the operator to implement appropriate technical and organizational measures, including the ability to ensure the confidentiality, integrity, availability and ongoing resilience of processing systems and services.
Qualitance QBS SA was also applied the corrective measure to ensure the compliance of personal data processing operations with the General Data Protection Regulation, by implementing appropriate technical and organizational measures in case of remote transmission of personal data, including regular training of data controllers under its authority (employees or collaborators). 

Legal and Communication Department 
ANSPDCP