Home » Comunicat_Presa_11_11_2021
 Română | English | Francais

11.11.2021

Sanction for the infringement of GDPR

 

During October 2021, the National Supervisory Authority finalised an investigation at the controller Vodafone Romania S.A. and found the breach of the provisions of Article 32 paragraph (1) letter b) and paragraph (4) of the General Data Protection Regulation, as well as the violation of the provisions of Article 3 paragraph (1) and paragraph (3) letters a) and b) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector.

The controller was sanctioned as follows:

  • fine in amount of Lei 7,421.25, the equivalent of Eur 1,500 for the breach of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of the GDPR;
  • fine in amount of Lei 7,000 for the breach of the provisions of Article 3 paragraph (1) and paragraph (3) letters a) and b) of Law no. 506/2004.

The investigation was initiated following the submission by the controller of several notifications of personal data breach based on the General Data Protection Regulation or on Regulation (EU) 611/2013.

Regarding the data breaches notified based on the GDPR, the National Supervisory Authority found that the controller did not implement appropriate technical and organisational measures in order to ensure that any natural person acting under the authority of the controller or of the processor and that has access to the personal data processes them only at the request of the controller, except for the case in which this obligation is incumbent based on the Union’s or the national law in order to ensure a security level corresponding to the processing risk, including the capacity to ensure the confidentiality of the data.

This situation resulted in the unauthorised disclosure and/or unauthorised access to the personal data of a number of 6 natural persons, within the period 16th of November 2020 – 18th of May 2021 (the transmission of some services agreements to wrong e-mail addresses, unauthorised access of the controller’s employees to the personal data of Vodafone’s clients without any existing request from them).

Regarding the data breaches notified based on Regulation (EU) 611/2013, the National Supervisory Authority found that the controller did not implement appropriate technical and organisational measures in order to ensure the security of the personal data processing, in view of ensuring that the personal data can be accessed only by authorised persons for the purposes authorised by law and to protect the stored or transmitted personal data against the illegal processing, accessing or disclosure.

Thus, the controller processed the personal data of 64 natural persons through the unauthorised accessing of their personal data by the controller’s employees within the period 4th of November 2020 – 22nd of June 2021.

 

Legal and Communication Department

A.N.S.P.D.C.P.