A NEW FINE FOR THE APPLICATION OF GDPR
On the 2nd of July 2019 the National Supervisory Authority finalised an investigation at controller WORLD TRADE CENTER BUCHAREST S.A. and found out that the controller infringed the provisions of Article 32 (4) in relation to Article 32 (1) and (2) of the General Data Protection Regulation in respect of the security of the processing.
The data controller WORLD TRADE CENTER BUCHAREST S.A. was sanctioned with a fine of 71028 lei, the equivalent of 15000 Euros.
The breach of personal data security consisted in the fact that a printed paper list used to check the customers attending breakfast and which contained personal data of 46 clients accommodated at the hotel belonging to WORLD TRADE CENTER BUCHAREST S.A. was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through publication.
The data controller WORLD TRADE CENTER BUCHAREST S.A. has been sanctioned because it has not taken measures in order to ensure that its employees who have access to personal data process data only at its request, according to the law.
Also, the data controller did not implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of accidental or unlawful processing, in particular, of unauthorized disclosure or unauthorized access to personal data. This has led to unauthorized access to the personal data of 46 clients of WORLD TRADE CENTER BUCHAREST SA and unauthorized disclosure of these data in the on-line environment, which has led to the violation of right to privacy and right to the protection of personal data, guaranteed by Article 7 and Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union.
The National Supervisory Authority performed the investigation following the notification of a personal data breach received from WORLD TRADE CENTER BUCHAREST S.A., by filling the form concerning the personal data breach provided by Article 33 of GDPR.
The General Regulation on Data Protection establishes, by art. 24, the principle of responsibility of data controller, according to which: “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
Moreover, Recital (75) of GDPR states that:
“The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.”
Legal and Communication Department