A new sanction for the infringement of GDPR
The National Supervisory Authority finalized an investigation at the controller Kaufland Romania SCS and found the breach of the provisions of Article 29 and Article 32 paragraph (1) letter b), paragraph (2) and paragraph (4) of the General Data Protection Regulation.
The controller Kaufland Romania SCS was sanctioned with fine in amount of Lei 9,893.2 (the equivalent of EUR 2,000).
The investigation was started following the submission by the controller, during 2022, of two personal data security breach notifications based on the General Data Protection Regulation.
One of the breaches of the data security consisted of the unauthorized access of some employees of the controller to the personal data of the Kaufland clients’.
Therefore, the employee of the controller which registered the complaint of a complainant did not observe the internal procedure for handling a claim and allowed the view of the document by the security agent that subsequently used improperly those data, situation that led to the breach of the confidentiality of the claimant’s personal data.
Within the investigation it was found that the controller did not take appropriate technical and organizational measures to ensure that any natural personal acting under the authority of the controller and that has access to the personal data processes them solely upon the request of the controller, thus breaching the provisions of Article 29 and Article 32 from the General Data Protection Regulation.
The second breach of the data security consisted of the transmission by mistake to another recipient of an order form of a client through some delivery platforms.
This situation led tot the unauthorized disclosure and access to the personal data (name, surname, e-mail address, phone number) of the Kaufland’s client following the non-observance by the controller of the working procedure for deliveries through the partner platforms.
Therefore, the National Supervisory Authority found that the controller did not implement appropriate technical and organizational measures to ensure a security level corresponding to the processing’s risk for the rights and freedoms of the natural persons, generated specifically, accidentally or illegally, by the unauthorized disclosure of the personal data.
Legal and Communication Department