A new sanction for the GDPR infringement
The National Supervisory Authority finalized in November this year an investigation at the controller SUDREZIDENȚIAL Broker S.R.L. within which it found the breach of the provisions of Article 32 paragraph (4) and article 34 of the General Data Protection Regulation (GDPR), as well as the breach of article 4 paragraph (5) from Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector.
Therefore, the company SUDREZIDENȚIAL Broker S.R.L. was sanctioned as it follows:
- fine in amount of Lei 49,418 the equivalent of EUR 10,000, for the breach of the provisions of Article 32 paragraph (4) of the GDPR;
- reprimand for the breach of the provisions of Article 34 of the GDPR;
- reprimand for the breach of the provisions of Article 4 paragraph (5) of Law no. 506/2004.
Within the investigation performed, it was found that SUDREZIDENȚIAL Broker S.R.L. did not take adequate measures in order to ensure that any natural person acting under its authority and that has access to personal data processes them only at its request, that led to the drafting of a registry in Excel format that contained personal data (first name, last name, personal identification number, telephone number, identity card series and number, e-mail address, banking data, immovable acquisitions, civil status, the sum requested, bank, observations) of the controller’s clients and of other natural persons (the spouses of the clients).
This situation led to the unauthorized disclosure to the large public of the personal data of at least 509 data subjects, clients of the controller, by their publishing by the director of the company on a certain Internet page.
Also, it was found that the controller did not inform the data subjects in relation to this personal data security breach, thus breaching the provisions of Article 34 of the GDPR.
Also, it was found that the controller SUDREZIDENȚIAL Broker S.R.L. stored information (cookies modules that were not necessary from technical point of view for the functioning of the controller’s website) without obtaining the consent of the users, natural persons, and without providing them clear and complete information according to Articles 12-14 of the GDPR, thus breaching the provisions of Article 4 paragraph (5) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, amended and completed.
In this context, we mention that Article 4 paragraph (5) of Law no. 506/2004 provides the following:
“The storage of information or obtaining access to the information stored within the terminal equipment of a subscriber or user is only allowed on condition that:
a) the subscriber or user concerned expressed his consent;
b) the subscriber or user concerned was provided, before the expression of the consent, in accordance with the provisions of Art. 12 of Law no. 677/2001, with its subsequent amendments and completions, clear and comprehensive information that:
i) to be presented in an easily accessible language and to be easily accessible to the subscriber or user;
ii) to include mentions in relation to the purposes of the processing of the information stored by the user or the subscriber or the information to which the latter has access.”
Legal and Communication Department