Home » Comunicat_Presa_27_12_2022
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

27.12.2022

 

Sanction for the GDPR infringement

 

The National Supervisory Authority finalized in November 2022 an investigation at the controller Kaufland România SCS and found the breach of the provisions of Article 29 and Article 32 paragraph (1) letter b) and paragraph (2) and paragraph (4) from the Regulation (EU) 2016/679.

Therefore the controller Kaufland România SCS was sanctioned with a fine in amount of Lei 14,779.80 (the equivalent of EUR 3,000).

The investigation was started following a data security breach notification submitted by the controller based on the provisions of Regulation (EU) 2016/679.

Therefore, the controller Kaufland România SCS was informed by a data subject on the fact that a video footage containing images with him/her from the parking of one of the stores held by this commercial network appeared on the webpage of a local newspaper.

Within the investigation performed, it resulted that the store manager allowed the access of an employee within the monitoring room, that captured, with the personal mobile phone, images of the video recordings that were displayed and that were provided through WhatsApp to a third party.

Therefore, the image and the registration number of the vehicle were disclosed, two data subjects being therefore affected by this incident.

It was fount that the controller did not take measure in order to ensure that any natural person acting under its authority and that has access to personal data processes them only at its request and did not take adequate measures in order to continuously protect the data.

Also, it did not implement adequate technical and organisational measures in order to ensure a level of confidentiality and security corresponding to the processing risk generated specifically by the accidental or illegal destruction, loss, modification, unauthorized disclosure or unauthorized access to the personal data provided, stored or otherwise processed.  

At the same time, based on the provisions of Article 58 paragraph (2) of Regulation (EU) 2016/679 it also the corrective measure to implement instructions for the ban of the use of personal equipment of the employees (such as mobile phone, tablets) in order to record/take photos/download/distribute video records by using WhatsApp or social networks was ordered to the controller.

 

Legal and Communication Department

A.N.S.P.D.C.P.