Home » Comunicat_Presa_22_12_2022
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

22.12.2022

A new sanction for the GDPR infringement

 

The National Supervisory Authority finalized in November this year an investigation at the controller SUDREZIDENȚIAL Broker S.R.L.  within which it found the breach of the provisions of Article 32 paragraph (4) and article 34 of the General Data Protection Regulation (GDPR), as well as the breach of article 4 paragraph (5) from Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector.

Therefore, the company SUDREZIDENȚIAL Broker S.R.L. was sanctioned as it follows:

  • fine in amount of Lei 49,418 the equivalent of EUR 10,000, for the breach of the provisions of Article 32 paragraph (4) of the GDPR;
  • reprimand for the breach of the provisions of Article 34 of the GDPR;
  • reprimand for the breach of the provisions of Article 4 paragraph (5) of Law no. 506/2004.

Within the investigation performed, it was found that SUDREZIDENȚIAL Broker S.R.L. did not take adequate measures in order to ensure that any natural person acting under its authority and that has access to personal data processes them only at its request, that led to the drafting of a registry in Excel format that contained personal data (first name, last name, personal identification number, telephone number, identity card series and number, e-mail address, banking data, immovable acquisitions, civil status, the sum requested, bank, observations) of the controller’s clients and of other natural persons (the spouses of the clients).

This situation led to the unauthorized disclosure to the large public of the personal data of at least 509 data subjects, clients of the controller, by their publishing by the director of the company on a certain Internet page.

Also, it was found that the controller did not inform the data subjects in relation to this personal data security breach, thus breaching the provisions of Article 34 of the GDPR.

Also, it was found that the controller SUDREZIDENȚIAL Broker S.R.L. stored information (cookies modules that were not necessary from technical point of view for the functioning of the controller’s website) without obtaining the consent of the users, natural persons, and without providing them clear and complete information according to Articles 12-14 of the GDPR, thus breaching the provisions of Article 4 paragraph (5) of Law no. 506/2004 on  the processing of personal data and the protection of privacy in the electronic communications sector, amended and completed.

In this context, we mention that Article 4 paragraph (5) of Law no. 506/2004 provides the following:

“The storage of information or obtaining access to the information stored within the terminal equipment of a subscriber or user is only allowed on condition that:

a) the subscriber or user concerned expressed his consent;

b) the subscriber or user concerned was provided, before the expression of the consent, in accordance with the provisions of Art. 12 of Law no. 677/2001, with its subsequent amendments and completions, clear and comprehensive information that:

i) to be presented in an easily accessible language and to be easily accessible to the subscriber or user;

ii) to include mentions in relation to the purposes of the processing of the information stored by the user or the subscriber or the information to which the latter has access.”

 

Legal and Communication Department

A.N.S.P.D.C.P.