Sanction for the infringement of GDPR
On the 11th of February 2020, the National Supervisory Authority finalised an investigation at the controller Vodafone România SA and found that it infringed the principles relating to the processing of personal data established in Article 5 paragraph (1) letters d) and f) in conjunction with Article 5 paragraph (2) of General Data Protection Regulation.
The controller Vodafone România SA was sanctioned with a fine of 14,308.8 lei, the equivalent of 3,000 euros.
The sanction was imposed as the controller mistakenly processed personal data of a natural person in order to handle his/her complaint, which subsequently determined the transmission of the controller’s response to an incorrect e-mail address, not having taken sufficient security measures against the illegal processing of personal data belonging to that person, in violation of the principles relating to the processing provided by Article 5 paragraph (1) letters d) and f) corroborated with Article 5 paragraph (2) of General Data Protection Regulation.
At the same time, a corrective measure was imposed to the controller Vodafone România SA pursuant to the provisions of Article 58 paragraph (2) letter d) of General Data Protection Regulation.
Thus, the controller was obliged to ensure compliance of the operations for the collection and subsequently processing of personal data with the General Data Protection Regulation, by implementing efficient methods of respecting the accuracy of the data, including in the case of data collection, such as the e-mail address. In this respect, it was ordered to implement, within 30 days from the date of communication of the minutes of sanction, adequate and efficient security measures from a technical and organisational point of view, including through regular training of persons processing data under the authority of the controller.
In this context, we highlight the provisions of Article 5 paragraph (1) of General Data Protection Regulation which states that “personal data shall be:
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical o organisation measures (“integrity and confidentiality”).”
Also, Article 5 paragraph (2) of the Regulation provides that “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph (1) (“accountability”).