Fine for the infringement of GDPR
The National Supervisory Authority finalised in February an investigation at the controller Civil Professional Attorneys-at-Law firm „Sabou, Burz & Cuc” and found that it breached the provisions of Article 5 paragraph (1) letters a), b), c) and f) and paragraph (2) and of Article 6 from the General Data Protection Regulation.
The Civil Professional Attorneys-at-law Firm „Sabou, Burz & Cuc” was sanctioned with a fine in amount of Lei 4,946, the equivalent of EUR 1,000.
The investigation was started following a complaint through which the disclosure by the controller of the personal data of a claimant (client of the controller) without his agreement and prior information, by posting an address received by the latter from a public institution on a Whatsapp group used by the lawyers of a bar, was claimed.
Within the investigation it was found that the Civil Professional Attorneys-at-law Firm „Sabou, Burz & Cuc” has disclosed the personal data of the data subject (first name, last name, domicile address, information regarding a file pending before a court) on a WhatsApp group of 247 members, without a legal basis, excessively and in an incompatible manner with their initial purpose for collection, as well as without taking technical and organisational measures for ensuring the confidentiality of these data, thus breaching the provisions of Article 5 paragraph (1) letters a), b), c) f) and paragraph (2), as well as those of Article 6 of the General Data Protection Regulation.
Also, the following corrective measures were applied to the controller:
- the corrective measure to ensure the compliance with the General Data Protection Regulation of the collecting and subsequent processing activities of the claimant’s personal data in order to ensure the notification of all the members of the Whatsapp group used by the lawyers of a bar in order to erase the address posted within this group;
- the corrective measure to ensure the compliance with the General Data Protection Regulation of the collecting and subsequent processing of personal data operations within the relationships of legal assistance and representation of the controller’s clients, so as to avoid the disclosure of the personal data obtained by them, outside the situations permitted by law, inclusively through the regular training of the persons processing data under the authority of the controller.