A new sanction for the infringement of GDPR
The National Supervisory Authority finalized in July 2022 an investigation at the controller Enel Energie Muntenia S.A. following which the breach of the General Data Protection Regulation was found, the controller being sanctioned with fine and reprimand, as it follows:
- fine in amount of lei 49,337 (the equivalent of EUR 10,000) for the breach of the provisions of Article 32 GDPR;
- warning for the breach of the provisions of Article 33.
The investigation was started following some intimations submitted by a natural person that notified the fact that, after a phone request addressed to Enel Energie Muntenia S.A., he/she received from the address firstname.lastname@example.org a response addressed to another client, natural person, accompanied by some documents that were able to be viewed on his/her e-mail address .
Within the investigation performed, it was found that the controller Enel Energie Muntenia S.A. did not present clear information regarding the reasons for which one of its employees sent by error the response of the claimant.
Also, the controller did not present proofs from which it results that it took remediation measures for the purpose of reducing the risk to which the personal data were subject and in order to further prevent the disclosure or illegal access of the personal data.
The controller did not present proofs regarding the notification of this incident to the National Supervisory Authority. Or, considering the circumstances of this case, described above, the security incident should have been notified based on Article 33 of the GDPR, within maximum 72 hours as of the date the controller Enel Energie Muntenia S.A. became aware of it.
Therefore, the controller Enel Energie Muntenia S.A. was sanctioned with a fine, given that it did not adopt sufficient security measures according to Article 32 of the GDPR, fact that led to the occurrence of a security incident through the provisions by e-mail of some documents containing visibly the personal data of a data subject to a third party, as well as with a reprimand given that it did not notify the National Supervisory Authority for the Processing of Personal Data.
Also, based on Article 58 paragraph (2) letter d) of the GDPR, there have been taken against the controller Enel Energie Muntenia S.A.:
- the corrective measure to ensure the compliance of the personal data processing activities with the GDPR, by implementing some technical and organisational measures adequate to the specific of the processing and of the risks identified, on the entire processing flow, specifically from the perspective of the training of the persons that process data under its authority (employees or collaborators), of the regular check of the observance of the instructions provided to them, of the automatization of some processes through which the risks of unlawful or illegal processing of personal data to be reduced, as well as of the fast identification, of the management and reporting of some cases of personal data security breach;
- the corrective measure to ensure the compliance of the personal data processing operations with the GDPR, by contacting the claimant (on his/her e-mail address), in order to request him/her to take erasure, destruction measures, as the case may be, of the personal information to which he/she had access following the receipt on the e-mail of the correspondence addressed to a third party;
- the corrective measure to ensure the compliance of the personal data processing operations with the GDPR, by adopting some internal measures for the reduction of the risks to which the personal data of the third party were exposed, in order to further prevent the illegal disclosure of access of his/her personal data.
Legal and Communication Department