Fine for the GDPR infringement
The National Supervisory Authority finalized in November 2022 an investigation at the controller OTP LEASING ROMANIA IFN SA, within which it found the breach of the provisions of Article 25 paragraph (1), Article 32 paragraph (1) letters b) and d), as well as Article 32 paragraph (2) from the General Data Protection Regulation.
The controller was sanctioned with fine in amount of Lei 14,675.7 (the equivalent of EUR 3,000).
The investigation was started following the submission by the controller of a notification regarding the breach of the personal data security based on Article 33 from the General Data Protection Regulation.
Within the notification submitted by the controller OTP LEASING ROMANIA IFN SA argued that it was informed by a natural person that he/she was able to access in an unauthorized manner the informational platform My leasing, by altering the URL address and creating an administrator account. Thus, he/she was able to access the data of the controller’s clients, legal persons, that created an account on the platform in order to follow the information regarding the leasing agreements.
Within the investigation it was found that some of the controller’s clients, legal persons, enrolled within the platform, as contact data, the e-mail addresses that contained the first name, last name, e-mail address and telephone number of the representatives (natural persons) of these legal persons, and those data were able to be accessed unauthorized on the platform (MyLeasing).
The unauthorized access within the MyLeasing system was determined by the lack of an appropriate level of security corresponding to the processing risks, that should have been ensured by OTP Leasing, Thus, the confidentiality of the personal data processed through the platform MyLeasing for the natural persons envisaged, registered as contact persons for the legal persons from the platform, was breached.
The controller OTP Leasing did not inform the data subjects in relation to the occurrence of the personal data security incident, although the data disclosed unauthorized can lead to damages for the natural persons, representatives of the legal persons.
Therefore, the National Supervisory Authority found the breach of the provisions of Article 25 paragraph (1) from the GDPR, Article 32 paragraph (1) letters b) and d) and Article 32 paragraph (2) from the GDPR by OTP LEASING ROMANIA IFN SA, given that this controller did not implement appropriate technical and organizational measures, both when establishing the processing means and when the processing itself took place.
Also, the controller did not perform the periodical testing, evaluation and assessment of the efficiency of the technical and organizational measures in order to guarantee the security of the processing, intended to efficiently implement the data protection principles and to integrate the necessary principles within the processing, in order to fulfil the GDPR requirements and to protect the data subject’s rights.
Also, it was established that the controller did not implement appropriate technical and organizational measures in order to ensure a level of security corresponding to the processing risk, including the capacity of ensuring the continuous confidentiality, integrity, availability and resistance of the processing systems and services.
In this context, we mention that according to Recital 78 from the GDPR, “The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.”
Also, Recital 83 from the GDPR mentions that: “In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks (…)Those measures should ensure an appropriate level of security, including confidentiality (…)In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, (…) which may in particular lead to physical, material or non-material damage.. ”
Legal and Communication Department