Sanction for the infrigement of GDPR
On the 23rd of June 2020, the National Supervisory Authority finalised an investigation at the controller Proleasing Motors SRL and found that it infringed the provisions of Article 32 paragraphs (1) and (2) of the General Data Protection Regulation.
The controller Proleasing Motors SRL was sanctioned with a fine in the amount of 72,642 lei, the equivalent of 15,000 euros.
The investigation was initiated following the submission by the controller of a notification of a personal data breach, by filling in the specific form established under the General Data Protection Regulation.
The breach of security consisted in the fact that, on the Facebook page on which the controller carried out an online contest to attract customers participating in the car service, a document was posted with a screenshot of the source code of the website where the access password to the forms filled in by the contest’ participants was also included.
This situation led to the unauthorised viewing and access to the personal data of a number of 436 customers of the controller, on the website of Proleasing Motors SRL, and to the unauthorised disclosure of these data, contrary to the obligations provided by Article 32 of the General Data Protection Regulation.
As such, the sanction was applied to the controller due to the fact that it did not implement adequate technical and organisational measures in order to ensure a level of security appropriate to the risk of processing for the rights and freedoms of individuals, generated in particular accidentally or illegally by destruction, loss, modification, unauthorised disclosure of personal data transmitted, stored or otherwise processed or unauthorised access to them.
Also, a corrective measure was applied to the controller to review and update the technical and organisational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the electronic communications procedures, so as to avoid similar incidents of unauthorised disclosure of the personal data processed, by reference to Article 58 paragraph (2) letter d) of the General Data Protection Regulation.
At the same time, we point out that, pursuant to Recital (75) from the preamble of the General Data Protection Regulation, the risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.”