Fine for the infringement of the GDPR
The National Supervisory Authority finalised in November 2021 an investigation at the controller Telekom România Communications SA following which it found the breach of the provisions of Article 5 paragraph (1) letters d) and f) and paragraph (2), as well as of Article 17 of the General Data Protection Regulation (GDPR).
The controller Telekom România Communications SA was sanctioned as follows:
- fine in amount of Lei 24,745, the equivalent of EUR 5,000, for the breach of the provisions of Article 5 paragraph (1) letters d) and f) and paragraph (2) of the GDPR;
- fine in amount of Lei 4,949, the equivalent of Eur 1,000, for the breach of the provisions of Article 17 of the GDPR.
The investigation was started following a complaint submitted by a data subject through which he/she claimed the receipt, from the controller Telekom România Communications SA, on his/her e-mail address, of some invoices and notification messages regarding the debts registered by another person, subscriber of the same company.
Within the investigation, the National Supervisory Authority found that the controller collected and processed erroneously certain inaccurate personal data, which led also to the illegal disclosure of some personal data to another natural person, fact which represents a breach of the personal data processing principles, provided under Article 5 paragraph (1) letters d) and f) and paragraph (2) of the General Data Protection Regulation.
Also, within the investigation, it was found that the controller did not adopt the necessary measures in order to handle the request for erasure submitted, according to Article 17 of the General Data Protection Regulation.
Also, the following corrective measures were applied to the controller:
- to ensure the conformity with the GDPR of the subsequent operations of collecting and processing of personal data, by implementing some efficient methods for ensuring the accuracy of the data, including in the case of data collecting, such as the electronic mail address, that allow the remote communication of the personal data. In this respect, it was ordered the implementation of some appropriate and efficient security measures, both from technical point of view (such as: the automatic collection of some data, ensuring the security of the documents’ and messages’ transmission through encryption/password) and from organisational point of view, by regular training of the persons that process data under the authority of the controller;
- to ensure the conformity with the GDPR in the case of the handling the personal data erasure or rectification requests, by adopting some appropriate technical and organisational measures that guarantee the effective and correct implementation of these operations within the database/databases used by the controller and processors, as well as the corresponding training of the persons that process data under their authority.
In this context, we mention that through Recital 65 of the General Data Protection Regulation it was acknowledged that “A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject.(…)”
Legal and Communication Department