Sanction for the infringement of GDPR applied to a natural person
The National Supervisory Authority finaliaed on 16.02.2021 an investigation at a natural personal that held, at the same time, the position of General Secretary within a district branch from Bucharest of a politic party and found the breach of the provisions of Article 31 paragraphs (1) and (2) and of the provisions of Article 58 paragraph (1) letters a) and e) from the General Data Protection Regulation.
The natural person, as controller, was sanctioned with a fine in total amount of Lei 2,437.35 (the equivalent in Lei of Eur 500).
The investigation started following the receipt of an intimation through which it was claimed that on a social network, on the personal page of a natural person holding the position of General Secretary within a district branch of a politic party, a list containing 10 positions with signatories parties/supporters for the election of the General Council and Mayor of Bucharest County was published, within which their personal data are accessible, being disclosed the first name and last name, the signature, citizenship, date of birth, address, series and number of the identity card, political option of the signatories parties/supporters.
During the performance of the investigation the National Supervisory Authority found that the controller, contrary to the obligations established under Article 32 of GDPR, did not implement appropriate technical and organisational measures in order to ensure a level of security corresponding to the processing risk for the rights and freedoms of the natural persons, which led to the disclosure to the general public and to the unauthorized access to the personal data of a number of 10 data subjects, supporters of a candidate to the local elections from September 2020, although according to Article 5 letter f) from GDPR it had the obligation to observe the ”integrity and confidentiality principle”.
Therefore, the controller was sanctioned for the breach of the provisions of Article 32 GDPR related to the security of the processing.
At the same time, the controller was sanctioned also for the deed provided under Article 83 paragraph (5) from the Regulation (EU) 679/2016, corroborated with Article 58 paragraph (1) letter a) and letter e) and corroborated with Article 8 from the G.O. no. 2/2991 given that it did not respond to the requests of the National Supervisory Authority for Personal Data.
The Authority applied to the controller also the corrective measure to erase the data disclosed through the posting on the personal page from a social network of a list with signatories parties/supporters for the election of the General Council and Mayor of Bucharest County.
In accordance with those above, recital 39 states that ”(…) Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.”
At the same time, recital 83 provides that ”In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.”