ANSPDCP - S.C. Marsorom S.R.L.
|ANSPDCP - ANSPDCP - S.C. Marsorom S.R.L.|
|Relevant Law:||Article 5(1)(e) GDPR|
Article 25 GDPR
Article 32 GDPR
|Parties:||S.C. Marsorom S.R.L.|
|National Case Number/Name:||ANSPDCP - S.C. Marsorom S.R.L.|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
The Romanian DPA (ANSPDCP) has issued a €3000 fine against a website operator who failed to prevent the unauthorised disclosure of its customers' personal data.
English Summary[edit | edit source]
Facts[edit | edit source]
The DPA conducted the investigation after being notified that on the website in question, some personal data of the website's customers were visible. If customers placed an order on the website, some of their personal data could be accessed without authorisation.
Dispute[edit | edit source]
Did the website operator, in its role as data controller, take sufficient technical and organisational measures to protect the personal data of its customers? Furthermore, did the controller act in breach of the storage limitation principle?
Holding[edit | edit source]
The ANSPDCP held that the controller failed to take appropriate measures and breached the storage limitation principle enshrined in Article 5(1)(e) GDPR, and also failed to fulfill its obligation under Articles 25 and 32 GDPR.
Consequently, the DPA issued a €3000 fine and recommended the website operator to establish a shorter storage period for the personal data associated with the accounts of its customers.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
15.10.2020 Fine for violation of RGPD The National Supervisory Authority completed, on 21.09.2020, an investigation at SC Marsorom SRL , finding the violation of art. 25 and art. 32 of the General Regulation on Data Protection. The operator SC Marsorom SRL was sanctioned with a fine in the amount of 14574.9 lei, the equivalent of the amount of 3000 EURO. The investigation took place as a result of a notification claiming that some personal data of its customers could be viewed on the operator's website. During the investigation it was found that the operator SC Marsorom SRL violated the provisions of art. 25 and 32 of the General Data Protection Regulation as it did not adopt sufficient security measures to prevent unauthorized access and disclosure of personal data of customers who placed orders on this site. At the same time, the operator was recommended to establish a shorter storage period of personal data related to customer accounts in order to comply with the principle of storage limitation provided by art. 5 para. (1) lit. e) of the General Regulation on Data Protection. A.N.S.P.D.C.P.