The National Supervisory Authority finalised in May, current year an investigation at Vodafone România S.A. and found the breach of the provisions of Article 3 paragraphs (1) and (3) letters a) and b) of Law no. 506/2004, amended and supplemented.

Therefore, the controller Vodafone România S.A. was sanctioned with a fine in amount of Lei 5,000.

The investigation was started following a notification of a personal data breach that was submitted by the controller, based on the provisions of Article 33 of the General Data Protection Regulation.

Within it, it was found that the invoices belonging to some Vodafone clients have been wrongfully provided on the e-mail addresses of some third parties. This lead to the processing and unauthorized access to some personal data of the Vodafone clients, such as the first name, last name, telephone number, client code, address.

Therefore, the National Supervisory Authority found that the controller did not take appropriate technical and organisational measures to safeguard the security of the processing of the personal data, that guarantee that the personal data can be accessed solely by authorised persons for the purposes authorised by law and to protect the personal data stored or provided against the unlawful processing, access or disclosure.

On this occasion, we reiterate the need of the internal instruction of the employees by each controller regarding the personal data protection rules, part of the mandatory organisational measures incumbent on it.

Legal and Communication Department

ANSPDCP