Sanction for the infringement of GDPR
The National Supervisory Authority finalised in March 2022 an investigation at the controller Condor SA and found the breach of the provisions of Article 32 paragraphs (1), (2) and (4) of the General Data Protection Regulation.
Therefore, the controller was sanctioned with fine in amount of Lei 9,897.4 (the equivalent of EUR 2,000).
The investigation was started following an intimation through which it was claimed that the controller Condor S.A. disclosed the personal data regarding the salaries of the employees or former employees of this controller to unauthorised persons.
Within the investigation performed, it was found that there was an unauthorised access to some files without password that contained personal data of the employees or former employees, such as: the workplace, first name, last name, position, base salary, the amount for the advance, bank account, personal identification numbers.
Therefore, the National Supervisory Authority found that the controller Condor SA did not present sufficient proofs from which to result that it took sufficient appropriate technical and organisational measures in order to ensure the confidentiality of the employees or former employees personal data processed. Also, it was found that the controller did not present proofs from which to result the training of the persons processing data under its authority, which led to the unauthorised access of some documents. Thus, the provisions of Article 32 paragraphs (1), (2) and (4) of the General Data Protection Regulation were infringed.
At the same time, within the investigation, two corrective measures were also applied to the controller, as it follows:
- the corrective measure to ensure the compliance with the General Data Protection Regulation of the processing operations of personal data, through the implementation of some appropriate technical and organisational measures, including the aspect of the training of the persons processing data under its authority;
- the corrective measure to ensure the conformity with the General Data Protection Regulation of the personal data processing operations, by contacting the person that has unauthorised access to those personal data, in order to erase or, as the case may be, destroy them.
Legal and Communication Department