Sanction for the breach of GDPR
On 01.10.2021 the National Supervisory Authority finalised an investigation at the controller S.P.E.E.H. Hidroelectrica S.A. and found the breach of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of the General Data Protection Regulation (GDPR), as well as the breach of the provisions of Article 5 paragraph (1) letter a) and of Article 6 paragraph (1) of the GDPR.
The controller S.P.E.E.H. Hidroelectrica S.A. was sanctioned as it follows:
- With a fine in amount of Lei 24,739.50, the equivalent of Eur 5,000, for the breach of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of the GDPR;
- With a reprimand for the breach of the provisions of Article 5 paragraph (1) letter a) and of Article 6 paragraph (1) of the GDPR.
The investigation was started following the submission by the controller of several personal data breach notifications.
The National Supervisory Authority found that the controller did not implement appropriate technical and organisational measures in order to ensure a security level corresponding to the risk envisaged by the processing.
This situation resulted in the unlawful accessing or disclosure to wrong recipients of the personal data of 325 natural persons.
Also, the controller processed the personal data of 3 natural persons, own clients, after the exercise of the right to erasure of data and withdrawal of the consent for the processing of data by them. Therefore, the processing was performed without the existence of the legal basis provided by Article 6 paragraph (1) of the GDPR, although the controller had the obligation to process the data lawfully, fairly and in a transparent manner in relation to the data subject.
At the same time, the following corrective measures were applied to the controller:
- the review and update of the security and organisational measures implemented following the evaluation regarding the risk for the rights and freedoms of the persons, including the working procedures referring to the protection of personal data, as well as the implementation of some measures regarding the periodic training of the persons acting under its authority, regarding the obligations incumbent on them according to the provisions of the GDPR, including in relation to the risks that the processing of personal data involves, depending on the specific of the activity;
- the identification and implementation of some measure to ensure that the personal data processed are accurate and updated, considering the purposes for which they are processed, including in relation to the record of the exercise by the data subjects of the right to erasure of the personal data.
Legal and Communication Department