The National Supervisory Authority for Personal Data Processing finalised in 2024 an investigation at controller Centrul Medical Unirea S.R.L. and found the infringement of Articles 24 and 32 of Regulation (EU) 2016/679 (GDPR).

As such, the controller was sanctioned with a fine of 9.953 lei (the equivalent of 2,000 euros).

The investigation was started as an intimation regarding a possible violation of Regulation (EU) 2016/679, with reference to the security of personal data.

The petitioner complained that, at the controller’s medical point of collection of biological samples, the access credentials to his e-mail account were publicly exposed, by displaying them on the computer monitor.

Consequently, it was found that the controller did not adopt adequate technical and organisational measures in order to ensure a level of security corresponding to the risk of the processing, including the ability to ensure the confidentiality of the personal data of some data subjects, which allowed an unauthorised access to them, at least on the data of the incident.

As such, this act represents a violation of the provisions of Article 32 of Regulation (EU) 2016/679, the controller being fined.

At the same time, pursuant to Article 58 paragraph (2) letter d) of the GDPR, the following corrective measures were ordered:

the training of the persons acting under the authority of the controller, with reference to their obligations according to the provisions of the GDPR, including the risks and consequences involved in the processing of personal data;
adopting an updated password policy that includes rules on the confidentiality of the user credentials.

The controller has paid the established fine.

Legal and Communication Department

A.N.S.P.D.C.P