Another sanction imposed by ANSPDCP
On the 13th of February 2020, the National Supervisory Authority finalised an investigation at controller Vodafone România SA and found that it infringed the provisions of Law no. 506/2004 on the processing o personal data and the protection of privacy in the electronic communication sector, as subsequently amended and supplemented.
The controller Vodafone România SA was sanctioned with two administrative fines of a total of 20,000 lei.
The sanctions were imposed to the controller following an intimation that Vodafone Romania SA violated the security and confidentiality of personal data.
Thus, a petitioner of the Authority claimed that she requested an offer over the phone, through the website of the controller Vodafone Romania SA and that, subsequently, she received on her e-mail address, a contract concluded by the controller with another natural person, the petitioner suspecting that her personal data may have been disclosed to that person.
As a result of the investigation conducted at the controller, the Authority found that Vodafone Romania SA did not comply with the provisions of Article 3 paragraphs (1) to (3) of Law no. 506/2004, as subsequently amended and supplemented, according to which the provider of an electronic communications service for the public has the obligation to take appropriate technical and organisational measures in order to ensure the security of the processing of personal data, that they must ensure a proportional level of security with the existing risk, taking into account the latest technical possibilities and the costs of implementing these measures and comply with at least the following conditions:
a) to guarantee that personal data can only be accessed by authorised persons, for the purposes authorised by law;
b) to protect the stored or transmitted personal data against accidental or unlawful destruction, accidental loss or damage and against unlawful storage, processing, access or disclosure;
c) to ensure the implementation of the security policy developed by the provider regarding the processing of personal data.
Also, it was found that the provisions of Article 3 paragraph (6) of Law no. 506/2004, as subsequently amended and supplemented, according to which “In case of a personal data breach, the providers of electronic communications services for the public shall notify ANSPDCP, without delay, of the respective violation.”
In addition to the sanctions with the fine imposed to the controller Vodafone Romania SA, the National Supervisory Authority recommended to the latter that, within 30 days from the date of communication of the minutes of finding/sanctioning, to take the necessary measures in order to comply with the provisions of Article 3 paragraphs (1) to (3) of Law no. 506/2004, as subsequently amended and supplemented, in order to implement adequate security measures for the processing of personal data, including with regard to ensuring the confidentiality and protection of personal data against illicit disclosure.
Also, it was recommended to the controller Vodafone Romania SA that, in the future, to notify the personal data breaches, without delay, to the National Supervisory Authority.