ANSPDCP - SC Medicover SRL

From GDPRhub
ANSPDCP - A.N.S.P.D.C.P. - SC Medicover SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Decided: n/a
Published:
Fine: 2000 EUR
Parties: SC Medicover SRL
SC Medicover SRL
National Case Number/Name: A.N.S.P.D.C.P. - SC Medicover SRL
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: A.N.S.P.D.C.P. (in RO)
Initial Contributor: Andrada Mocanu

The Romanian DPA (ANSPDCP) fined SC Medicover SRL with €2,000 after completing an investigation concerning the operator and finding a violation of Article 32 GDPR, paragraphs (1)(b), (2) and (4).

English Summary[edit | edit source]

Facts[edit | edit source]

The data operator sent successive notifications of personal data breach to ANSPDCP which initiated an investigation.

The operator signalled unauthorized disclosure and unauthorized access to personal data such as: name and surname, ID number, home address, correspondence address, telephone and e-mail, respectively data on the health status, sent to individuals other than the recipients, to their e-mail or postal address.

Following the investigation, ANSPDCP found that the controller did not implement adequate technical and organizational measures to ensure that any natural person acting under the authority of the controller that has access to personal data only processes them at the request of the controller, which led to unauthorized disclosure and unauthorized access to personal data transmitted to individuals other than the recipients, on their e-mail address or postal address.

Dispute[edit | edit source]

Holding[edit | edit source]

The Romanian DPA found a violation of Article 32(1)(b), Article 32(2) and Article 32(4) of the GDPR and fined SC Medicover SRL €2,000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

A.N.S.P.D.C.P. completed in February an investigation concerning the operator S.C. Medicover S.R.L. and found a violation of the provisions of Article 32(1)(b),  Article 32(2) and Article 32(4) of the GDPR.
As such, the operator S.C. Medicover S.R.L. was sanctioned with a fine of 97496 RON (equivalent to 2000 EURO).

The data operator sent successive notifications of personal data breach to A.N.S.P.D.C.P. which initiated an investigation. The operator signaled unauthorized disclosure and unauthorized access to personal data such as: name and surname, ID number, home address, correspondence address, telephone and e-mail, respectively data on the health status, sent to individuals other than the recipients, to their e-mail or postal address.

Following the investigation, A.N.S.P.D.C.P. found that the controller did not implement adequate technical and organizational measures to ensure that any natural person acting under the authority of the controller that has access to personal data only processes them at the request of the controller, which led to unauthorized disclosure and unauthorized access to personal data transmitted to individuals other than the recipients, on their e-mail address or postal address.

The operator also has to apply the following corrective measures:
-to review and update the technical and organizational measures implemented (as a result of the risk assessment for the rights and freedoms of individuals performed by the authority), including work procedures on the protection of personal data, as well as implement the measures on the regular training of the employees. The trainings should focus especially on the obligations the employees have according to the provisions of the GDPR;
-to identify and implement measures to ensure that the personal data processed are accurate and up-to-date, taking into account the purposes for which they are processed and that inaccurate data are deleted or rectified without delay (for example, a mechanism for verifying the validity of the address e-mail at the time of the collection).



Legal and communication department,

A.N.S.P.D.C.P.