Home » Comunicat_Presa_22_09_2022
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

22.09.2022

A new sanction for the GDPR infringement

 

The National Supervisory Authority finalized in May 2022 an investigation at the controller Bitfactor SRL and found the breach of the provisions of Article 25 paragraph (1) and Article 32 paragraph (1) and (2) of the General Data Protection Regulation.

The controller Bitfactor SRL was sanctioned with fine in amount of Lei 9,852.8 (the equivalent of EUR 2,000).

The investigation Was started following the submission by the controller of a personal data security breach notification based on the General Data Protection Regulation.

The breach of the data security took place following a faulty functioning of an application of the controller that was sending marketing communications to the users of it’s website, which led to the breach of the personal data confidentiality of a number of 1,757 data subjects, users of the controller’s website.

Within the investigation it was found that the controller did not implement adequate technical and organizational measures, to continuously protect the personal data of the data subjects, both when determining the processing means and when processing them, intended for efficiently implementing the data protection principles and to integrate the necessary guarantees within the processing, although, according to Article 5 letter f) of the General Data Protection Regulation, the controller had the obligation to observe the integrity and confidentiality principle.

In this context, we underline that Article 25 paragraph (1) of the General Data protection Regulation provides that “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”

Also, Recital 78 of the General Data Protection Regulation provides that “the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.”

Therefore, the controller Bitfactor SRL was sanctioned with fine in amount of Lei 9,852.8 (the equivalent of EUR 2,000) for the breach of the provisions of Article 25 paragraph (1) and Article 32 paragraph (1) letters b), d) and paragraph (2) of the General Data Protection Regulation.

 

Legal and Communication Department

A.N.S.P.D.C.P.