Fine for the infringement of the GDPR
The National Supervisory Authority has finalized, on the 7th of November 2019, an investigation with the controller SC CNTAR TAROM SA and noted the infringement of Article 32 paragraph (4) in conjunction with Article 32 paragraphs (1) and (2) of the General Data Protection Regulation.
The investigation was carried out as a result of a data breach notification of the supervisory authority by SC CNTAR TAROM SA dating the 13th of September 2019.
The controller SC CNTAR TAROM SA was sanctioned with a fine of 95,194 lei, the equivalent of 20,000 euros.
The sanction was applied to the controller due to the fact that it did not implement adequate technical and organisational measures in order to ensure that any natural person acting under its authority and having access to personal data only processes them following its request. Related to this aspect, the controller has not taken any appropriate measures in order to ensure a level of security corresponding to the risk generated by the unauthorised disclosure or the unauthorised access to the personal data transmitted, stored or otherwise processed.
This situation led to the unauthorised access, by an employee, of the booking application and the photographing of a list containing the personal data of 22 TAROM passengers/clients and to the unauthorised disclosure in the online environment of this list.