Home » Comunicat_Presa_18_05_2023
 Română | English | Francais

18.05.2023

 

A new sanction for the breach of GDPR

 

The National Supervisory Authority finalized in May current year an investigation at the controller AUTOMOBILE BAVARIA SRL and found the breach of the provisions of Article 32 paragraph (2) and of Article 25 paragraph (1) from the General Data Protection Regulation (GDPR).

Therefore, the controller was sanctioned:

  • with fine in amount of Lei 88,563.60 Lei, the equivalent of EUR 18,000, for the breach of Article 32 paragraph (1) letters b) and d), in conjunction with Article 32 paragraph (2) from the GDPR;
  • with reprimand for the breach of Article 25 paragraph (1) from the GDPR.

The investigation was started following the submission by the controller of a personal data security breach notification based on the General Data Protection Regulation.

The breach of the data security took place following the unauthorized disclosure of the personal data (first name, last name, city, e-mail address, telephone number, current vehicle model, vehicle manufacturing year, buy-back option, term for acquisition, acquisition manner (cash, credit, leasing), approximate budget available, marketing consent options (telephone contact, e-mail contact, SMS contact, newsletter subscription)) for a number of 290 clients/potential clients of the controller, within July 2022-04.08.2022, these data being publicly accessible on the website of the controller.

Within the investigation it was found that the controller did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk, including the capacity to ensure the confidentiality of the processing systems and services and a process for the periodical testing, evaluation and assessment of the efficiency of the technical and organizational measures in order to guarantee the security of the processing.

Also, it was found that AUTOMOBILE BAVARIA SRL did not ensure the protection of the personal data by design and implicitly by default, by not observing the provisions provided under Article 25 paragraph (1) from the GDPR, in the sense that it did not implement, both at the time of the determination of the means for processing and at the time of the processing itself, adequate technical and organizational measures, designed to efficiently implement the data protection principles and to integrate the necessary guarantees within the processing, in order to fulfill the GDPR requirements and to protect the rights of the data subject.

Also, based on Article 58 paragraph (2) letter d) from the GDPR the corrective measure to implement a plan that would include a regular testing, evaluation and assessment of all the systems and their subsequent amendments performed by the controller or services providers (operators), through which personal data are processed, in the sense of guaranteeing the security of the processing by design and by default, was ordered.

 

Legal and Communication Department

A.N.S.P.D.C.P