ANSPDCP (Romania) - 26.09.2023

From GDPRhub
Revision as of 17:55, 9 October 2023 by Maxinescu (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=26.09.2023 |ECLI= |Original_Source_Name_1=Romanian DPA |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_26_09_2023&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - 26.09.2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 4 (5) Law 506/2004 (implementing ePrivacy Directive)
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 32000 EUR
Parties: n/a
National Case Number/Name: 26.09.2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: maxinescu

An energy company was sanctioned with a fine of 25,000 EUR for the failure to comply with technical and organizational measures, assessing a violation of Article 32 (1) (b) and (d) GDPR, following a data breach affecting at least 750 data subjects. Also, the company was sanctioned with a fine of 8,000 EUR for the failure to comply with cookies requirements under Law 506/2004 (implementing ePrivacy Directive).

English Summary

Facts

The DPA initiated an investigation upon receiving a complaint regarding a potential breach of personal data security on an energy company website. The data breach consisted in the fact that a file of the controller’s website containing personal data including name, surname, address, telephone numbers, e-mail address, contract number and date of concluding the contract pertaining to a number of at least 750 data subjects was publicly accessible by accessible, by accessing a link generated by search engines. The accessibility of the file lasted for a period of about 2 years and a half. During the investigation, DPA also assessed that during the accession of the website by users, it also employed cookies which were not necessary from a technical perspective for the operation of the website. The cookies were installed before the user was asked to grant the consent button. Also, even if the user was not agreeing with the cookies employment and accessed the Refuse button, this option was not actually observed by the controller, as the cookies remained installed for a certain period of time, on the user’s device, irrespective of the user’s choice.

Holding

The DPA assessed a violation of Article 32 (1) (b) and (d) GDPR, as well as a breach of Article 4 (5) of Law 506/2004. In addition to the sanctions imposed, the DPA has also imposed corrective measures, ordering the controller to implement a procedural plan including a process of periodic testing, evaluation and reassessment of all systems and their subsequent changes made by the controller or its service providers (processors), in particular with respect to the website managed by the controller.

Comment

Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

https://www.dataprotection.ro/?page=Comunicat_Presa_26_09_2023&lang=ro