In October 2014, representatives of the National Supervisory Authority for Personal Data Processing carried out an investigation at the premises of S.C. ORANGE ROMÂNIA S.A., following a complaint received by the supervisory authority, which brought to our attention a possible infringement of the provisions of Article 33 of Law no. 677/2001, as regards the failure to comply with the obligations on ensuring the confidentiality of data and applying adequate security measures.
More precisely, the petitioner mentioned that he contacted an Orange shop in Cluj Napoca in order to have a mobile phone bought from S.C. Orange România S.A. serviced as it required repairing. In exchange for his phone, the petitioner received from the service another phone to use whilst his phone was repaired.
The petitioner noticed that the memory of the phone he received from the service still contained personal data from previous users: automatic log-in on Facebook, phone numbers and personal messages, including bank account balance. As a result, the petitioner initially contacted the data controller - S.C. Orange România S.A. by phone, but later mentioned to the supervisory authority that his request was not taken into consideration.
During the investigation carried out, it was noticed that S.C. Orange România S.A. hadn’t taken the necessary measures in order to prevent the disclosure or authorised access to the personal data stored on the phone received from service - property of S.C. Orange România S.A.
As a result, the supervisory authority sanctioned S.C. Orange România S.A. with a contraventional fine of 10.000 RON for the offense of failure to comply with the obligations on applying adequate security measures and maintaining the confidentiality of the personal data processing.
The Legal and Communication Dept.
5th November 2014