ANSPDCP - Vodafone România SA 1
|ANSPDCP - Vodafone România SA|
|Relevant Law:||Article 5(1)(d) GDPR|
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 58(2)(d) GDPR
|Parties:||Vodafone România SA|
|National Case Number/Name:||Vodafone România SA|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
The ANSPDCP fined Vodafone România SA 3,000 € for failing to implement adequate technical and organisational measures when processing personal data, thus violating the principles of accuracy, integrity, confidentiality and accountability.
The ANSPDCP carried out investigation against the Romanian telecommunication operator Vodafone România SA. The company transmitted personal data to inaccurate e-mail address while handling a data subject's complaint.
Did the controller processed personal data in line with the GDPR principles?
The ANSPDCP found that the company processed personal data without having implemented sufficient security measures. Thus it violated the principles of accuracy, integrity and confidentiality as laid down in Article 5(1)(d) and (f) GDPR read in conjunction with the principle of accountability according to Article 5(2) GDPR. The ANSPDCP imposed a fine of 14308.8 lei (equivalent to EUR. 3.000) and pursuant to Article 58(2)(d) GDPR it ordered the complany to put in place efficient technical and organisational measures within 30 days.
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
On 11.02.2020, the National Supervisory Authority finalized an investigation at the operator of Vodafone Romania SA and found that it violated the principles of processing of personal data established by the provisions of art. 5 paragraph (1) lit. d) and f) corroborated with art. 5 paragraph (2) of the General Regulation on Data Protection. The operator of Vodafone Romania SA was sanctioned contraventional with a fine in the amount of 14308.8 lei, the equivalent of 3,000 euros. The sanction was applied to the operator because he mistakenly processed personal data of a natural person in order to solve his complaint, which subsequently determined the transmission of the operator's response to an incorrect e-mail address, not having taken sufficient security measures against the illegal processing of the data. personnel of the respective person, in violation of the processing principles provided by art. 5 paragraph (1) lit. d) and f) in conjunction with art. 5 paragraph (2) of the General Regulation on Data Protection. At the same time, a corrective measure was applied to the operator of Vodafone Romania SA, according to the provisions of art. 58 paragraph (2) lit. d) of the General Regulation on Data Protection. Thus, the operator was obliged to ensure compliance with the General Regulation on Data Protection of the operations for the collection and subsequent processing of personal data, by implementing efficient methods of respecting the accuracy of the data, including in the case of data collection, such as the e-mail address. In this regard, it was ordered to put in place adequate and efficient security measures from a technical and organizational point of view, including by regular training of persons processing data under the authority of the operator, within 30 days from the date of communication of the minutes. sanction. In this context, we highlight the provisions of art. 5 paragraph (1) of the General Regulation on Data Protection, which provide that “personal data are: d) accurate and, if necessary, updated; all necessary measures must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified without delay ("accuracy"); f) processed in a manner that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures ("integrity and confidentiality") . " Also, art. 5 paragraph (2) of the Regulation provides that "The operator is responsible for compliance with paragraph 1 and can demonstrate this compliance (" responsibility ")".