Home » Comunicat_presa_19_/_04_/_2021
 Română | English | Francais

19/04/2021

Sanction for the infringement of GDPR

 

The National Supervisory Authority finalised in March an investigation at the controller Lugera&Markler Broker S.R.L. and found that the provisions of Article 29 and Article 32 paragraphs (2) and (4) of the General Data Protection Regulation have been breached.

Therefore, the controller Lugera&Markler Broker S.R.L. was sanctioned with a fine in amount of Lei 7,331.85 (the equivalent of Eur 1,500).

The investigation took place following an intimation received from a natural person and of a notification of personal data security breach submitted by Raiffeissen Bank S.A. from which it resulted that Lugera&Markler Broker S.R.L. (processor of the controller Raifaissen Bank S.A.) did not deliver to Raifaissen Bank S.A. the documents corresponding to the prescoring activities performed by one of his employees because the latter have been destroyed.

Within the investigation, the National Supervisory Authority found that the controller Lugera&Markler Broker S.R.L. (as processor of the controller Raiffeissen Bank S.A.) did not take measures to ensure that any natural person acting under its authority and which has access to personal data processes them solely at its request and did not implement appropriate technical and organisational measures in order to ensure a level of security appropriate to the processing risk generated, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.

Also, following the performance of 1372 prescoring operations by a sales agent, employee of Lugera&Markler Broker S.R.L., 1,058 data subjects were affected by the security incident, as the original documentation corresponding to the prescoring was not delivered to the agent, but destroyed, fact that generated the security incident notified by Raifaissen Bank to ANSPDCP, thus the provisions of Article 29, Article 32 paragraphs 2 and 4 of the General Data Protection Regulation being breached.

 

Legal and Communication Department

ANSPDCP