Home » masuri_corective_iunie_septembrie_2019
 Română | English | Francais

Corrective measures 1st of June 2019 – 30th of September 2019

 

During the period 1st of June 2019 – 30th of September 2019, within the investigations carried out, certain corrective measures were imposed to controllers, as follows:

 

No.

CONTROLLER

Date of finding of the infringement

DESCRIPTION OF THE CORRECTIVE MEASURE

1.

Vola.RO SRL

4.06.2019

Reprimand - for violation of Article 32 paragraph (1) letters b) and d) in relation to Article 32 paragraph (2) of the GDPR, as the controller has not implemented adequate technical and organisational measures to ensure a level of security corresponding to the risk of processing for the rights and freedoms of natural persons, by sending a series of e-mails to a client of the company to several recipients, which resulted in unauthorised disclosure of this data to unauthorised persons and compromising the confidentiality.

2.

Sam Development Investment & Constructions SRL

5.06.2019

Reprimand - for violation of Article 32 paragraph (1) letter b) related to Article 32 paragraph (4) and Article 33 paragraph (1) of the GDPR as the controller did not implement adequate technical and organisational measures to ensure a level of security corresponding to the risk of processing for the rights and freedoms of natural persons, by sending by e-mail the personal data of the employees of the company SAM DEVELOPMENT INVESTMENT & CONSTRUCTIONS SRL processed by Revisal, on a certain date to an unauthorised person, which led to the unauthorised disclosure of these data to unauthorised persons and the compromise of the confidentiality.

It was also found that SAM DEVELOPMENT INVESTMENT & CONSTRUCTIONS SRL infringed the provisions of Article 33 paragraph (1) of the GDPR, notifying ANSPDCP late and deficiently about the personal data breach.

3.

Sam Urbanic Construct  SRL

5.06.2019

Reprimand - for violation of Article 32 paragraph (1) letter b) related to Article 32 paragraph (4) and Article 33 paragraph (1) of the GDPR as the controller did not implement adequate technical and organisational measures to ensure a level of security corresponding to the risk of processing for the rights and freedoms of natural persons, by sending by e-mail the personal data of the employees of the company SAM URBANIC CONSTRUCT SRL processed by Revisal, on a certain date to an unauthorised person, which led to the unauthorised disclosure of these data to unauthorised persons and the compromise of the confidentiality.

Also, it was found that SAM URBANIC CONSTRUCT SRL violated the provisions of Article 33 paragraph (1) of the GDPR, as it did not comply with the 72-hour deadline from the date when it became aware of the breach and the notification was not accompanied by a reasoned explanation for the delay, notifying ANSPDCP late about the personal data breach.

4.

Altex România SRL

5.06.2019

1. Reprimand - for the contravention provided by Article 13 paragraph (1) letter q) of Law no. 506/2004, corroborated with Article 13 paragraph (5) of Law no. 506/2004 and with Article 7 of G.O. no. 2/2001 on the legal regime of contraventions, because Altex Romania SRL sent by email unsolicited promotional commercial messages to a petitioner, without proving the existence of his/her express prior consent, thus violating the provisions of Article 12 of Law no. 506/2004 on unsolicited communications.

2. The company was recommended to reanalyse and no longer send commercial messages through electronic means of communication in cases where it cannot prove the obtaining of the prior express consent of the clients for the receipt of such communications, according to the provisions of Article 12 of Law no. 506/2004.

5.

Vodafone România

6.06.2019

Reprimand - for committing the contravention provided in Article 13 paragraph (1) letter a) of Law no. 506/2004, as the controller did not take adequate technical and organisational measures in order to ensure that personal data can only be accessed by authorised persons, for the purposes authorised by law, which led to the fact that personal data contained in the detailed invoices of the various Vodafone Romania SA subscribers, natural persons, were viewed by employees with the right of access in a specific application owned by the controller, for unauthorised purpose, individually and personally, with exceeding the duties in the job description.

6.

 

 

 

 

Centrul Medical Unirea SRL

12.06.2019

1. To take the necessary technical and organizational measures so that, in the future, situations of processing of inaccurate personal data will be avoided, thus observing Article 5 paragraph (1) letter d) of Regulation (EU) 2016/679.

7.

 

Orange Romania SA

12.06.2019

To provide a complete answer to the request of the petitioner, containing all the information requested by the petitioner, according to Article 15 of the GDPR.

8.

SC RD Office Solutions SRL

12.06.2019

1. To take the necessary measures so that, in the future, the illegal processing of personal data, without the existence of a clearly determined legal basis, shall be avoided, in compliance with the principles and conditions of legality provided by the GDPR.

2. To respond to the request of the petitioner and to provide an answer to the petitioner to his/her request by which he/she has exercised the right to erasure of personal data.

9.

Dante International SA

13.06. 2019

1. To take all the necessary technical and organisational measures to ensure an adequate level of security, including data confidentiality, in order to prevent unauthorised access to the personal data they process.

2. To take all the necessary measures to ensure the security of the accounts created on the e-Mag platform and implicitly of the personal data related to its clients.

3. To observe the Customer Care working Procedure for the Identification of the client natural person.

4. To train the telephone operators in respect of the Procedure.

10.

IPJ Dambovita

18.06.2019

The performance of an assessment of the risks incident to the processing envisaged according to Article 35 paragraph (3) of Law no. 363/2018 and the implementation of appropriate technical and organisational measures in order to ensure an adequate level of security, in order to maintain the security and to prevent the processing that violates Law no. 363/2018, such as encryption of mobile devices with storage space.

11.

 

 

 

 

Directorate for Persons Record and Databases Management (DPABD)

18.06.2019

1. The implementation of appropriate technical and organisational measures to ensure an adequate level of security, in order to maintain security and to prevent the processing in violation of the GDPR, in order to identify the unauthorised access;

2. To train the personnel with regard to the measures taken by the controller, so that the users have access only to the personal data for fulfilling the duties of the service.

12.

S.C. Easy Asset Management IFN S.A.

19.06.2019

1. Reprimand - for violation of Article 12 paragraphs (1), (3) and (4) of Regulation (EU) 2016/679, pursuant to Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, correlated with Article 14 paragraph (11), Article 15 paragraph (1) and (3) and Article 16 paragraph (5) of Law no. 102/2005, republished, as well as with Article 12 paragraphs (1), (2) and (4) of Law no. 190/2018, corroborated with Article 7 of G.O. no. 2/2001, as it did not prove that it provided an answer regarding the requests by which the petitioners exercised their right to erasure of data and the right to object.

2. To draw up and transmit to the supervisory authority a distinct, clear and complete procedure on the concrete way of exercising the rights of the data subjects, as well as information about the notification of data subjects about this procedure, pursuant to Article 58 paragraph (2) letters c) and d) of Regulation (EU) 2016/679, correlated with Article 12 paragraph (4) of Law no. 190/2018, Article 14 paragraph (11), Article 15 paragraph (3) and Article 16 paragraph (5) of Law no. 102/2005, republished, related to Article 12 paragraphs (1), (3) and (4) of Regulation (EU) 2016/679, for the act provided by Article 83 paragraph (5) letter b) of the GDPR.

13.

Owners Association Flat no. 35,

Bucharest

 

20.06.2019

1. Reprimand - for violation of Article 12 of the GDPR, because the Owners Association Flat no. 35 submitted a response to the petitioner exceeding the deadline stipulated in Article 12 paragraph (3) of the GDPR.

2. To provide the data subjects with information on the actions taken following the requests under Articles 15-22, without undue delay.

14.

SC Rovigo SRL

25.06.2019

To provide a complete response to the request of the petitioner by which she exercised her right to erasure.

15.

Unicredit Bank

27.06.2019

Fine - 130,000 euros for infringement of Article 25 paragraph (1) of the GDPR in conjunction with Article 5 paragraph 1 letter c) of the GDPR, because the controller did not implement adequate technical and organisational measures, both at the time of establishing the means of processing and during the processing itself, in order to fulfil the GDPR requirements and to protect the rights of the data subjects, which led to the disclosure of data concerning the personal identification number and the payer’s address in the documents containing the details of the transactions and which are made available online to the clients receiving the payments during a certain period, for a large number of data subjects, although, according to Article 5 paragraph 1 letter c) pf the GDPR, it had the obligation to process data limited to what is necessary in relation to the purposes for which they are processed.

16.

Dante Internațional SA

1.07.2019

1. Reprimand - for violation of Article 12 paragraph (3) and Article 15 of Regulation (EU) 2016/679, as it did not prove that it sent, until the date of the report, a complete response addressed to the petitioner, to his/her request transmitted by e-mail, through which he/she exercised his/her right of access.

2. To provide a complete answer to the petitioner, to his/her request transmitted by e-mail, through which he/she exercised his/her right of access, provided by Article 15 of Regulation (EU) 2016/679;

3. To take measures so that, in all cases, the provisions of Article 12 of Regulation (EU) 2016/679 are observed.

17.

 

 

 

 

 

World Trade Center

2.07.2019

1. Fine - in the amount of 15,000 Euros for violation of Article 32 paragraph (4) in relation to Article 32 paragraph (1) and paragraph. (2) of the GDPR, because the controller id not implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of accidental or unlawful processing, in particular, of unauthorised disclosure or unauthorised access to personal data, which led to unauthorised access to the personal data of large number of clients, printed on paper from the controller’s hotel application, and to unauthorised disclosure of such data in the online environment.

2. Revising and updating the technical and organizational measures implemented as a follow-up of the risk assessment for the rights and freedoms of persons, revising the working procedures regarding the protection of personal data.

18.

A-Car Vaslui

2.07.2019

1. Reprimand - pursuant to Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, in conjunction with Article 12 paragraphs (1), (4) and Article 14 paragraph 5 letter e) of Law no. 190/2018, Article 14 paragraph (11), Article 15 paragraphs (1), (3) and Article 16 paragraph (1) of Law no. 102/2005, republished, related to Article 58 paragraph (1) letters a) and letter e) of the GDPR, as the controller did not provide the information requested by ANSPDCP through the addresses transmitted.

2. Remedial plan - Provision of all information as requested by ANSPDCP.

19.

Globus Score SRL (former Instrumental Theory SRL)

4.07.2019

1. Reprimand - for violation of the provisions of Article 58 paragraph (1) letter a) and letter e) of the GDPR, pursuant to Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, correlated with Article 12 paragraphs (1), (2) and (4) of Law no. 190/2018, Article 14 paragraph (11), Article 15 paragraphs (1), (3) and Article 16 paragraph (1) of Law no. 102/2005, republished, because it did not provide any information requested by ANSPDCP;

2. To provide the supervisory authority with a complete answer to the addresses sent, pursuant to Article 58 paragraph (2) letter d) of Regulation (EU) 2016/679, correlated with Article 12 paragraph (4) of Law no. 190/2018, Article 14 paragraph (11), a Article 15 paragraph (3) and Article 16 paragraph (5) of Law no. 102/2005, republished.

20.

 

 

Legal Company & Tax Hub SRL

5.07.2019

Fine - in the amount of 3,000 Euros, for the violation of Article 32 paragraph (1) and paragraph (2) of the GDPR, as the controller did not implement adequate technical and organisational measures to ensure a security level corresponding to the processing risk, which led to the unauthorised disclosure and unauthorised access to the personal data of the persons who performed transactions received by the website avocatoo.ro, documents accessible to the public on these websites, for almost two months, although it had this obligation according to Article 5 paragraph (1) letter f) of the GDPR.

21.

 

Association “Prietenii lui Adrian”

5.07.2019

Taking the necessary measures for the processing of personal data with the express consent of the data subjects in accordance with Articles 6 and 7 of the GDPR for sending messages by electronic means of communication, as the Association sent an unsolicited email to a petitioner from office@aspla.ro to his/her personal email address, without proving that it obtained the prior expressed and unequivocally consent for the processing of personal data (e-mail address), thus violating the provisions of Articles 6 and 7 of the GDPR.

22.

Owners Associations Confort Park 1A,

Bucharest

 

5.07.2019

1. Reprimand - pursuant to Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, correlated with Article 12 paragraphs (1), (2) and (4) of Law no. 190/2018, Article 14 paragraph (11), Article 15 paragraphs (1), (3) and Article 16 paragraph (1) of Law no. 102/2005, republished, as the Owners Associations Confort Park 1A:

- has installed a video surveillance system in the premises of the building it manages without proving that the data subjects have been informed, thus infringing the provisions of Article 13 of the Regulation;

- did not prove the ensuring of the confidentiality of the personal data of the persons whose data were displayed on the notice board, so that the names and surnames were revealed at the notice board of the association, without the consent of these persons and without the existence of another situation where the consent is not required, in violation of the provisions of Article 5 paragraph (1) letters b) and c) and Article 6 paragraph (1) letter a) of the GDPR;

- requires excessive personal data and copies of various documents from the owners, in order to complete the real estate book, in violation of the provisions of Article 5 paragraph (1) letters a) and c) of the GDPR.

2. To take the necessary measures so that, in the future, personal data will not be used and disclosed in violation of the principles of data processing, while respecting the principle of purpose limitation and data minimisation.

3. To inform the data subjects by completing the notification posters with the information provided by Article 13.

23.

City Hall Ovidiu,

Constanța County

8.07.2019

1. Reprimand - for violation of the provisions of Article 58 paragraph (1) letter a) and letter e) of the GDPR, pursuant to Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, correlated with Article 12 paragraphs (1), (2) and (4) of Law no. 190/2018, Article 14 paragraph (11), Article 15 paragraphs (1), (3) and Article 16 paragraph (1) of Law no. 102/2005, republished, as it did not provide the information requested by ANSPDCP through the letters sent.

2. To provide ANSPDCP with of a complete response to the institution’s letters.

24.

Credit Europe Bank

08.07.2019

1. Reprimand - for violation of the provisions of Article 12 of the GDPR, as the controller failed to comply with the request of the petitioner, by which he/she exercised his/her right to erasure of some personal data.

2. To provide the data subjects with information on the actions taken following the requests pursuant to Articles 15-22, without unjustified delays and in any case within one month of receiving the request. This period may be extended by two months when necessary, taking into account the complexity and number of applications.

25.

Dante Internațional SA

10.07.2019

1. Reprimand - for violation of Article 21 of Regulation (EU) 2016/679, because it did not take into account the applicant’s option to have his/her e-mail address deactivated from the database for messages such as satisfaction questionnaires, an option brought to the attention of the controller by a request, so that two months later he/she received another message of this type.

2. To take measures so that, in all cases, the provisions of Article 21 of the GDPR are observed, including in the case of the petitioner.

26.

Uttis Industries

10.07.2019

1. Fine - in the amount of 1000 Euros, for the violation of Article 12 of the GDPR, because the controller could not prove that the data subjects were informed about the processing of personal data/images through the video surveillance system, which it has been doing since 2016, although it had the obligation to take appropriate measures to provide the data subjects any information mentioned in Articles 13 - 14 and any communications pursuant to Articles 15 - 22 and Article 34 concerning the processing, in a concise, transparent, intelligible and easily accessible form, using clear and simple language, especially for any information specifically addressed to a child.

2. Fine in the amount of 1500 Euros, for the violation of Article 5 paragraph (1) letter c) of the GDPR, because the processing/disclosure of the employees’ personal identification number by displaying a report to the notice board, was not appropriate, relevant and limited in relation to the purpose for which it was processed, respectively the prevention of any work accident. At the same time, the controller could not prove the legality of the processing of the personal identification number, by disclosure on the notice board, according to Article 6 of the GDPR.

3. Informing the data subjects according to Article 12 of the GDPR, also by combining with standardized icons in spaces/places which are video monitored, positioned at a reasonable distance from the places where the surveillance equipment is located, in order to provide in a visible, intelligible and clear way, a significant overall image on the processing through the video surveillance system.

4. Review and update the technical and organisational measures implemented.

27.

Owners Association Flat 713

Bucharest

18.07.2019

1. Reprimand - for violation of Article 58 paragraph (1) letter a) and letter e) of the GDPR as it did not provide all the information requested by ANSPDCP, in the exercise of its investigative powers, through the letters sent with regard to the communication of a response to the request of some petitioners.

2. Providing an answer to the requests of the petitioners.

3. To draw up a procedure regarding the management of the requests of the data subjects through which they can exercise their rights provided by Regulation (EU) 2016/679, and bring this procedure to the knowledge of the data subjects, according to the provisions of Article12 of Regulation (EU) 2016/679.

28.

County Clinical Emergency Hospital “Sf. Apostol Andrei” Constanța

23.07.2019

Review and update the technical and organisational measures implemented, as a follow-up of the risk assessment for the rights and freedoms of persons, by establishing and implementing measures regarding the periodic training of the persons acting under its authority, regarding the obligations incumbent upon them according to the GDPR provisions.

29.

Media Group SC Medianet SRL

23.07. 2019

To reconsider the petitioner’s request and to inform him/her about the measures adopted in accordance with the provisions of Article 12 of the GDPR.

30.

Gothaer Asigurări Reasigurări SA

24.07.2019

Review and update the technical and organisational measures implemented, as a follow-up of the risk assessment for the rights and freedoms of persons, including the procedures concerning the electronic communications, in order to avoid similar incidents of unauthorised disclosure of the processed personal data.

31.

Nicola Medical Team 17 S.R.L.

24.07.2019

1. Reprimand - for violation of Article 58 paragraph (1) letter a) and letter e) of the GDPR because it did not provide the information requested by ANSPDCP, in the exercise of its powers of investigation, through the letters transmitted.

2. To provide ANSPDCP with all the requested information, regarding the conformity of the processing operations performed as a data controller.

32.

Deichmann Comercializare Încălțăminte SRL

31.07.2019

Review and update the technical and organisational measures implemented, as a follow-up of the risk assessment for the rights and freedoms of persons, including the procedures concerning the electronic communications, in order to avoid similar incidents of unauthorised disclosure of the processed personal data.

33.

Owners Association Flat B29,

Bucharest

31.07. 2019

1. Reprimand - for violation of Article 58 paragraph (1) letters a) and e) of the GDPR, pursuant to Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, correlated with Article 12 paragraphs (1), (2) and (4) of Law no. 190/2018, Article 14 paragraph (11), Article 15 paragraphs (1), (3) and Article 16 paragraph (1) of Law no. 102/2005, republished, related to Article 58 paragraph (1) letter a) and letter e) of the GDPR as it did not provide any information requested by ANSPDCP through the letters sent;

2. To provide ANSPDCP with of a complete response to the institution’s letters.

34.

Olarian Augustin

(owner of domain olarian.ro)

31.07.2019

1. Reprimand - for violation of Articles 6 and 7 of the GDPR, pursuant to Article 58 paragraph (2) letter b) of the GDPR, correlated with Article 12 paragraphs (1), (2) and (4) of Law no. 190/2018, Article 14 paragraph (11), Article 15 paragraphs (1), (3) and Article 16 paragraph (1) of Law no. 102/2005, republished, in conjunction with Article 7 of G.O. no. 2/2001, as it could not prove the prior consent of the data subjects, including of the petitioner, for the processing of their e-mail addresses, collected from the Internet, for the purpose of sending commercial messages.

2. Not to process the personal data of the petitioner, respectively his/her name and surname and his/her e-mail address, without respecting Articles 6 and 7 of the GDPR;

3. Not to process personal data without the consent of the data subjects according to Articles 6 and 7 of the GDPR, including in the case of sending commercial messages through electronic means of communication, pursuant to Article 58 paragraph (2) letter d) of the GDPR, correlated with Article 12 paragraph (4) of Law no. 190/2018, Article 14 paragraph (11), Article 15 paragraph (3) and Article 16 paragraph (5) of Law no. 102/2005, republished, related to Article 12 paragraphs (1), (3) and (4) of the GDPR. In this regard, it is recommended to use the “double opt-in” method for collecting the e-mail addresses.

35.

Telekom România Mobile Communications S.A.

31.07. 2019

1. To provide a complete response to the request of the petitioner, regarding the request of erasure of his/her data.

36.

SC Graftex Prodcom SRL -

31.07. 2019

1. Reprimand - for the contravention provided by Article 13 paragraph (1) letter q) of Law no. 506/2004, corroborated with Article 13 paragraph (5) of Law no. 506/2004 and with Article 7 of G.O. 2/2001 as Graftex Prodcom SRL did not prove the existence of the petitioner’s agreement for the communication of unsolicited commercial messages, thus violating the provisions of Article 12 of Law no. 506/2004 with regard to unsolicited communications.

2. To take the necessary measures to comply with the provisions of Article 12 of Law no. 506/2004, for the purpose of transmitting commercial messages through electronic means of communication only with the express prior consent of the users of the telephone numbers.

37.

Orange Romania SA

31.07. 2019

1. To provide an answer to the request of the petitioner, in accordance with the provisions of Article 15 of the GDPR.

38.

S.C. UniCredit Consumer Financing IFN S.A

7.08.2019

1. Reprimand - for violation of Article 12 paragraphs (1), (3) and (4) of Regulation (EU) 2016/679, pursuant to Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, correlated with Article 14 paragraph (11), Article 15 paragraphs (1) and (3) and Article 16 paragraph (5) of Law no. 102/2005, republished, as well as with Article 12 paragraphs (1), (2) and (4) of Law no. 190/2018, corroborated with Article 7 of G.O. no. 2/2001, because it did not prove the communication to the petitioner of an answer regarding the received requests, by which he/she exercised his/her right to erasure of the data;

2. To take measures so that, in all cases, the provisions of Article 12 of Regulation (EU) 2016/679 are respected.

39.

Modern Barber S.R.L.

7.08.2019

1. Reprimand - for violation of Article 58 paragraph (1) letter a) and letter e) of Regulation (EU) 2016/679 because it did not provide the information requested by the National Supervisory Authority for Personal Data Processing, in the exercise of its powers of investigation, through the letters transmitted.

2. To provide ANSPDCP with all the information requested through the letters transmitted with regard to the aspects reported by the petitioner.

40.

Dumitru N. Mihai

8.08.2019

To provide ANSPDCP with a complete response to the letter transmitted, in accordance with the provisions of Article 58 of the GDPR.

41.

 

Owners Association Speranța Flat D3 Oradea, Bihor County

8.08.2019

1. Reprimand - for violation of Article 58 paragraph (1) letter a) and letter e) of the GDPR, pursuant to Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, correlated with Article 12 paragraphs (1), (2) and (4) of Law no. 190/2018, Article 14 paragraph (11), Article 15 paragraphs (1), (3) and Article 16 paragraph (1) of Law no. 102/2005, republished, as it did not provide any information requested by ANSPDCP, in the exercise of its powers of investigation.

2. To provide ANSPDCP with of a complete response to the institution’s letter.

42.

Owners Association Militari R

Chiajna,

Ilfov County

8.08.2019

1. Reprimand, for violation of Article 58 paragraph (1) letter a) and letter e) of the GDPR, pursuant to Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, correlated with Article 12 paragraphs (1), (2) and (4) of Law no. 190/2018, Article 14 paragraph (11), Article 15 paragraphs (1), (3) and Article 16 paragraph (1) of Law no. 102/2005, republished, as it did not provide any information requested by ANSPDCP, in the exercise of its investigative powers.

2. To provide ANSPDCP a complete response to the institution’s letter, within 5 working days from the date of the report.

43.

Cumpata Dent SRL

8.08.2019

1. Reprimand, for violation of Article 58 paragraph (1) letter a) and letter e) of the GDPR, pursuant to Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, correlated with Article 12 paragraphs (1), (2) and (4) of Law no. 190/2018, Article 14 paragraph (11), Article 15 paragraphs (1), (3) and Article 16 paragraph (1) of Law no. 102/2005, republished, as it did not provide any information requested by ANSPDCP, in the exercise of its investigative powers.

2. To provide ANSPDCP a complete response to the institution’s letter.

44.

Banca Transilvania S.A.

13.08.2019

1. To take the necessary measures so that, in the future, personal data will be processed only with the express and unequivocal consent of the data subject, as the controller did not prove that it obtained the consent of the petitioner for the processing of personal data, in violation of the provisions of Article 6 and Article 7 of the GDPR.

45.

Banca Comercială Română S.A.

13.08.2019

1. Reprimand - for violation of Article 12 of the GDPR whereas the Banca Comercială Română S.A. did not provide an answer to the petitioner’s request.

2. Banca Comercială Română S.A. was recommended to provide an answer to the request of the petitioner, given his/her request to receive a response to his/her request.

46.

Termocasa Ambient SRL

13.08.2019

1. To take the necessary measures, in compliance with Article 5 and Article 6 of the GDPR, so that in the future, the illegal processing of personal data will be avoided, by the disclosure without the consent of the data subject.

47.

Iași City, represented by the mayor, Iași County

13.08.2019

1. Reprimand - for violation of Articles 12 and 15 of Regulation (EU) 679/2016, pursuant to Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, correlated with Article 12 paragraphs (1), (2) and (4) of Law no. 190/2018, Article 13, Article 14 paragraph (11) of Law no. 102/2005, republished, as it did not prove that it communicated a response to the request of the petitioner, by which he/she exercised his/her right of access to Iași City Hall regarding the disclosure of his/her personal data, according to Article 15 of GDPR.

2. To provide a complete response to the request of the petitioner.

3. In the future, to take the necessary measures to respect the rights of the data subjects stipulated in the GDPR.

48.

Owners Association no. 505

Reșița, Caraș-Severin County

21.08.2019

1. Reprimand, for violation of Article 58 paragraph (1) letter a) and letter e) of the GDPR, pursuant to Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, correlated with Article 12 paragraphs (1), (2) and (4) of Law no. 190/2018, Article 14 paragraph (11), Article 15 paragraphs (1), (3) and Article 16 paragraph (1) of Law no. 102/2005, republished, as it did not provide any information requested by ANSPDCP through the letter transmitted.

2. To provide ANSPDCP a response to the institution’s letter.

49.

Artmark Holding SRL

28.08.2019

1. Fine - in the amount of 10,000 lei for the contravention provided by Article 13 paragraph (1) letter q) of Law no. 506/2004, corroborated with Article 13 paragraph (5) of Law no. 506/2004 and with Article 7 of G.O. no. 2/2001, because the controller did not prove that it had obtained the express and unequivocal prior consent of the applicant for the transmission of commercial messages to his/her email address on a certain date;

2. To take the necessary measures to comply with the provisions of Article 12 of Law no. 506/2004, for the purpose of sending commercial messages through electronic means of communication only with the express prior consent of the recipients.

50.

Regional Directorate of Public Finance Ploiești, Prahova County

4.09.2019

1. Reprimand - for violation of Article 5 paragraph (1) letters. a), c), f) and paragraph (2) of Regulation (EU) 2016/679 as it did not respect the principle of data minimisation that can be transmitted to other entities and the principle of integrity and confidentiality.

2. Reprimand - for violation of Article 32 paragraph (1) letter b) and paragraph (2), as well as of Article 32 paragraph (4) corroborated with Article 29 of Regulation (EU) 2016/679, as it did not present evidence, until the date of the report, from which it can be seen that it complied with the provisions of Article 32 paragraph (1) letter b) and paragraph (2), as well as of Article 32 paragraph (4) corroborated with Article 29 of Regulation (EU) 2016/679, regarding the implementation of adequate technical and organisational measures for the security of the personal data processed by the controller, by its subordinate structures and any person acting under its authority, in order to ensure the confidentiality of the personal data processed in all processing operations and to avoid situations of illegal or unauthorised disclosure thereof.

3. Assessment of the existing situations and establishing the necessary measures in case of transmission/disclosure of personal data of the data subjects whose data are processed by the Regional General Directorate of Public Finance Ploiesti as a controller (including by its subordinated structures), in order to ensure that all data protection principles are respected, in particular the one referring to the legality, fairness and transparency, data minimisation, integrity and confidentiality;

4. Implementing adequate technical and organisational measures, necessary to ensure the security of personal data processed by the Regional General Directorate of Public Finance Ploiesti as controller (including its subordinated structures), so as to ensure the confidentiality of the personal data processed in all processing operations and to avoid the situations of illegal or unauthorised disclosure thereof.

51.

University of Medicine and Pharmacy ”Carol Davila” Bucharest

26.09.2018

1. Reprimand - for violation of Article 5 paragraph 1 letter a) of the GDPR and Article 6 of the GDPR, because the controller did not inform the data subjects whose data was processed by posting/publishing/displaying, disclosing by transmission, dissemination or making available in any way about the purpose of the processing, being affected data subjects - employees of the UMFCD whose data were posted on the university’s website and the controller processed personal data in violation of Article 6 of the GDPR on the legality of processing.

2. To train the employees concerning the risks and consequences involved in disclosing personal data.

52.

Inteligo Media SA

26.09.2019

Fine - in the amount of 9000 Euros, for violating the basic data protection principles, including the conditions regarding the consent, according to Article 5, paragraph (1) letters a) and b), Article 6 paragraph (1) letter a) and Article 7 of the GDPR, as the controller could not prove the explicit consent, for a large number of users whose personal data it processed for a period of 15 months. The controller also processed personal data for these users on the basis of a legal ground that was not appropriate for the purpose of the processing in question, respectively it collected the personal data of the respective users in an illegal and non-transparent way towards the data subject, subsequently being processed in a way which was incompatible with the purpose for which they were initially collected.

53.

Telekom România Communications SA

26.09.2019

Reprimand - for committing the contravention provided by Article 13 paragraph (1) letter a) of Law no. 506/2004, because the controller did not take adequate technical and organisational measures to ensure the security of the processing of personal data, which led to the erroneous transmission of e-mails containing links to customer invoices to other customers than the holders of the invoices, as well as the illicit access and disclosure of personal data of Telekom Romania customers.

54.

Amsterdam Broker de Asigurare SRL

 

12.09.2019

1. Reprimand - for violation of Article 32 paragraph 1 letter b) corroborated with Article 32 paragraph (2) of the GDPR, as the controller has not implemented adequate technical and organisational measures in order to ensure a level of security corresponding to the risk of processing by transmitting, on a certain date, data related to housing insurance policies issued by Allianz- Țiriac Asigurări SA, at the request of ING Bank (customer representative), following a manual processing, by replacing by mistake certain e-mail addresses of the insured clients, thus data subjects were affected by incidents, aspect which constituted a breach of confidentiality personal data;

2. To train the employees concerning the risks and consequences involved in disclosing personal data.

55.

România Hypermarche SA

13.09.2019

Review and update the technical and organisational measures implemented in order to avoid similar incidents of unauthorised disclosure of the personal data processed, by implementing a specific procedure by the controller.

 

Legal and Communication Department

ANSPDCP