ANSPDCP (Romania) - SC Medicover SRL
| ANSPDCP - A.N.S.P.D.C.P. - SC Medicover SRL | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1)(b) GDPR Article 32(2) GDPR Article 32(4) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 2000 EUR |
| Parties: | SC Medicover SRL SC Medicover SRL |
| National Case Number/Name: | A.N.S.P.D.C.P. - SC Medicover SRL |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Romanian |
| Original Source: | A.N.S.P.D.C.P. (in RO) |
| Initial Contributor: | Andrada Mocanu |
The Romanian DPA (ANSPDCP) fined SC Medicover SRL with €2,000 after completing an investigation concerning the operator and finding a violation of Article 32 GDPR, paragraphs (1)(b), (2) and (4).
English Summary
Facts
The data operator sent successive notifications of personal data breach to ANSPDCP which initiated an investigation.
The operator signalled unauthorized disclosure and unauthorized access to personal data such as: name and surname, ID number, home address, correspondence address, telephone and e-mail, respectively data on the health status, sent to individuals other than the recipients, to their e-mail or postal address.
Following the investigation, ANSPDCP found that the controller did not implement adequate technical and organizational measures to ensure that any natural person acting under the authority of the controller that has access to personal data only processes them at the request of the controller, which led to unauthorized disclosure and unauthorized access to personal data transmitted to individuals other than the recipients, on their e-mail address or postal address.
Dispute
Holding
The Romanian DPA found a violation of Article 32(1)(b), Article 32(2) and Article 32(4) of the GDPR and fined SC Medicover SRL €2,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
A.N.S.P.D.C.P. completed in February an investigation concerning the operator S.C. Medicover S.R.L. and found a violation of the provisions of Article 32(1)(b), Article 32(2) and Article 32(4) of the GDPR. As such, the operator S.C. Medicover S.R.L. was sanctioned with a fine of 97496 RON (equivalent to 2000 EURO). The data operator sent successive notifications of personal data breach to A.N.S.P.D.C.P. which initiated an investigation. The operator signaled unauthorized disclosure and unauthorized access to personal data such as: name and surname, ID number, home address, correspondence address, telephone and e-mail, respectively data on the health status, sent to individuals other than the recipients, to their e-mail or postal address. Following the investigation, A.N.S.P.D.C.P. found that the controller did not implement adequate technical and organizational measures to ensure that any natural person acting under the authority of the controller that has access to personal data only processes them at the request of the controller, which led to unauthorized disclosure and unauthorized access to personal data transmitted to individuals other than the recipients, on their e-mail address or postal address. The operator also has to apply the following corrective measures: -to review and update the technical and organizational measures implemented (as a result of the risk assessment for the rights and freedoms of individuals performed by the authority), including work procedures on the protection of personal data, as well as implement the measures on the regular training of the employees. The trainings should focus especially on the obligations the employees have according to the provisions of the GDPR; -to identify and implement measures to ensure that the personal data processed are accurate and up-to-date, taking into account the purposes for which they are processed and that inaccurate data are deleted or rectified without delay (for example, a mechanism for verifying the validity of the address e-mail at the time of the collection). Legal and communication department, A.N.S.P.D.C.P.
