Home » Comunicat_Presa_11_11_2021
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

11.11.2021

Sanction for the infringement of GDPR

 

During October 2021, the National Supervisory Authority finalised an investigation at the controller Vodafone Romania S.A. and found the breach of the provisions of Article 32 paragraph (1) letter b) and paragraph (4) of the General Data Protection Regulation, as well as the violation of the provisions of Article 3 paragraph (1) and paragraph (3) letters a) and b) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector.

The controller was sanctioned as follows:

  • fine in amount of Lei 7,421.25, the equivalent of Eur 1,500 for the breach of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of the GDPR;
  • fine in amount of Lei 7,000 for the breach of the provisions of Article 3 paragraph (1) and paragraph (3) letters a) and b) of Law no. 506/2004.

The investigation was initiated following the submission by the controller of several notifications of personal data breach based on the General Data Protection Regulation or on Regulation (EU) 611/2013.

Regarding the data breaches notified based on the GDPR, the National Supervisory Authority found that the controller did not implement appropriate technical and organisational measures in order to ensure that any natural person acting under the authority of the controller or of the processor and that has access to the personal data processes them only at the request of the controller, except for the case in which this obligation is incumbent based on the Union’s or the national law in order to ensure a security level corresponding to the processing risk, including the capacity to ensure the confidentiality of the data.

This situation resulted in the unauthorised disclosure and/or unauthorised access to the personal data of a number of 6 natural persons, within the period 16th of November 2020 – 18th of May 2021 (the transmission of some services agreements to wrong e-mail addresses, unauthorised access of the controller’s employees to the personal data of Vodafone’s clients without any existing request from them).

Regarding the data breaches notified based on Regulation (EU) 611/2013, the National Supervisory Authority found that the controller did not implement appropriate technical and organisational measures in order to ensure the security of the personal data processing, in view of ensuring that the personal data can be accessed only by authorised persons for the purposes authorised by law and to protect the stored or transmitted personal data against the illegal processing, accessing or disclosure.

Thus, the controller processed the personal data of 64 natural persons through the unauthorised accessing of their personal data by the controller’s employees within the period 4th of November 2020 – 22nd of June 2021.

 

Legal and Communication Department

A.N.S.P.D.C.P.