During the period January 2020 – September 2020 the National Supervisory Authority received a number of 3952 of complaints, 176 of intimations and 128 data breach notifications, based on which investigations were opened.

Following the investigations performed, during this period 22 fines were imposed, with a total amount of 68900 euros and respectively 10000 lei, a fine imposed pursuant to Law no. 506/2004.

Also, 46 reprimands were issued and 42 corrective measures were imposed.

Regarding the findings during the investigations, on this occasion the data controllers were charged with violating the provisions of Article 5, Article6, Article 7, Article 9, Article 12, Article 14, Article 15, Article 25 and Article 32 of the GDPR, as well the infringement of provisions of Article 13 of Law o. 506/2004.

Corrective measures were also applied during the investigations, such as:

to comply with the data subject’s requests to exercise his or her rights pursuant to the GDPR;
to bring processing operations into compliance with the provisions of the GDPR;
reviewing and updating the implemented technical and organisational measures, including the working procedures regarding the protection of personal data, as well as the implementation of measures regarding the regular training of persons acting under the authority of the controller, regarding its obligations according to GDPR, including regarding the risks involved in the processing of personal data, depending on the specificity of the activity;
conducting a risk assessment for the rights and freedoms of persons including the classification in a degree of risk, taking into account the nature, scope, context and purposes of the processing;
reviewing and updating the technical and organisational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including working procedures related to the protection of personal data.

Legal and Communication Department