Home » Comunicat_Presa_23_/_03_/_2021
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

23/03/2021

Sanction for the infringement of GDPR

 

The National Supervisory Authority finalized in February an investigation at Medicover S.R.L. and found the violation of the provisions of Article 32 paragraph (1) letter b) and of paragraphs (2) and (4) from the General Data Protection Regulation.

Therefore, the controller Medicover S.R.L. was sanctioned with a fine in amount of Lei 9,749.6 (the equivalent of Eur 2,000).

The investigation was started following the submission by the controller of successive notifications for personal data breaches, that signalled the unauthorised disclosure and unauthorised access to personal data such as: first name and last name, personal identification number, ID series and number, ID address, correspondence address, contact phone and e-mail, respectively name and data regarding the health transmitted to other natural persons than the recipients, at the e-mail address or post address.

Following the investigation, the supervisory authority found that the controller did not implement appropriate technical and organisational measures to ensure that any natural person acting under the authority of the controller and which has access to personal data processes them solely at the request of the controller, fact that resulted in the unauthorised disclosure and access to the personal data sent to other natural persons than the recipients, at the e-mail address of post address.

Also, the following corrective measures were imposed to the controller:

  • the review and update of the technical and organisational measures implemented following the evaluation regarding the risk for the rights and freedoms of the persons, including the work procedures regarding the personal data, as well as the implementation of some measures regarding the periodic training of the persons acting under its authority, regarding the obligations incumbent on it according to the GDPR provisions, inclusively in relation to the risks that the personal data processing involves, depending on the specific of the activity, inclusively of the work procedure regarding the protection of personal data and training of its own personnel;
  • the identification and implementation of some measures to ensure that the personal data processed are accurate and kept up to date, considering the purposes for which they are processed, and the inaccurate ones to be erased or rectified without delay (for example, a mechanism for the verification and validation of the e-mail address at the time of data collection).

 

Legal and Communication Department

ANSPDCP