Sanction for the infringement of GDPR
On the 12th of August 2020 the National Supervisory Authority finalised an investigation at the controller Sanatatea Press Group S.R.L. and found the violation of the personal data security measures established by the provisions of Article 32 paragraphs (1) and (2) in connection with Article 5 paragraph (1) letter f) of the General Data Protection Regulation
The controller Sanatatea Press Group S.R.L. was sanctioned with a fine of 9,671.40 lei, the equivalent of 2,000 euros.
The investigation was launched following the submission by the controller of a notification of a personal data breach.
The breach of data security consisted in the fact that, during the organisation of an online event by Sanatatea Press Group SRL, the login data of some persons were erroneously transmitted to other e-mail addresses than those with which they had created an account on the electronic platform of the controller.
This situation led to the disclosure and unauthorised access to the data of other participants in the event (e-mail addresses, usernames), with effects for a number of 1300 users of the controller’s platform.
In this context, we mention that pursuant to Article 5 paragraph (1) letter f) of the General Data Protection Regulation, the controller had the obligation to process the data “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”.