ANSPDCP (Romania) - SC Medicover SRL: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 52: Line 52:
}}
}}


The Romanian DPA fined SC Medicover SRL with 2000 EURO after it completed an investigation concerning the operator and found a violation of the provisions of [[Article 32(1)(b) GDPR]], [[Article 32(2) GDPR]] and [[Article 32(4) GDPR]] of the GDPR.
The Romanian DPA fined SC Medicover SRL with 2000 EURO after it completed an investigation concerning the operator and found a violation of the provisions of [[Article 32 GDPR]],  paragraphs (1)(b), (2) and (4).




Line 69: Line 69:


=== Holding ===
=== Holding ===
The Romanian DPA found a violation of [[Article 32(1)(b) GDPR]], [[Article 32(2) GDPR]] and [[Article 32(4) GDPR]] of the GDPR.
The Romanian DPA found a violation of Article 32(1)(b), Article 32(2) and Article 32(4) of the GDPR.


== Comment ==
== Comment ==

Revision as of 16:34, 23 March 2021

ANSPDCP - A.N.S.P.D.C.P. - SC Medicover SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 2000 EUR
Parties: SC Medicover SRL
SC Medicover SRL
National Case Number/Name: A.N.S.P.D.C.P. - SC Medicover SRL
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: A.N.S.P.D.C.P. (in RO)
Initial Contributor: Andrada Mocanu

The Romanian DPA fined SC Medicover SRL with 2000 EURO after it completed an investigation concerning the operator and found a violation of the provisions of Article 32 GDPR, paragraphs (1)(b), (2) and (4).


English Summary

Facts

The data operator sent successive notifications of personal data breach to A.N.S.P.D.C.P. which initiated an investigation.

The operator signaled unauthorized disclosure and unauthorized access to personal data such as: name and surname, ID number, home address, correspondence address, telephone and e-mail, respectively data on the health status, sent to individuals other than the recipients, to their e-mail or postal address.

Following the investigation, A.N.S.P.D.C.P. found that the controller did not implement adequate technical and organizational measures to ensure that any natural person acting under the authority of the controller that has access to personal data only processes them at the request of the controller, which led to unauthorized disclosure and unauthorized access to personal data transmitted to individuals other than the recipients, on their e-mail address or postal address.


Dispute

Holding

The Romanian DPA found a violation of Article 32(1)(b), Article 32(2) and Article 32(4) of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

A.N.S.P.D.C.P. completed in February an investigation concerning the operator S.C. Medicover S.R.L. and found a violation of the provisions of Article 32(1)(b),  Article 32(2) and Article 32(4) of the GDPR.
As such, the operator S.C. Medicover S.R.L. was sanctioned with a fine of 97496 RON (equivalent to 2000 EURO).

The data operator sent successive notifications of personal data breach to A.N.S.P.D.C.P. which initiated an investigation. The operator signaled unauthorized disclosure and unauthorized access to personal data such as: name and surname, ID number, home address, correspondence address, telephone and e-mail, respectively data on the health status, sent to individuals other than the recipients, to their e-mail or postal address.

Following the investigation, A.N.S.P.D.C.P. found that the controller did not implement adequate technical and organizational measures to ensure that any natural person acting under the authority of the controller that has access to personal data only processes them at the request of the controller, which led to unauthorized disclosure and unauthorized access to personal data transmitted to individuals other than the recipients, on their e-mail address or postal address.

The operator also has to apply the following corrective measures:
-to review and update the technical and organizational measures implemented (as a result of the risk assessment for the rights and freedoms of individuals performed by the authority), including work procedures on the protection of personal data, as well as implement the measures on the regular training of the employees. The trainings should focus especially on the obligations the employees have according to the provisions of the GDPR;
-to identify and implement measures to ensure that the personal data processed are accurate and up-to-date, taking into account the purposes for which they are processed and that inaccurate data are deleted or rectified without delay (for example, a mechanism for verifying the validity of the address e-mail at the time of the collection).



Legal and communication department,

A.N.S.P.D.C.P.