15.03.2023
Sanctions
1. The National Supervisory Authority finalized in February this year an investigation to the controller Alianța pentru Unirea Românilor and found the breach of the provisions of Article 5 paragraph (1) letter c) and paragraph (2) of the General Data Protection Regulation.
Therefore, Alianța pentru Unirea Românilor was sanctioned with fine in amount of Lei 49,115, the equivalent of Eur 10,000.
The sanction was applied following some intimations through which it was reported that the controller collects personal data through a website, without performing the information of the data subjects and without the fulfilment of the conditions on the lawfulness of the processing.
Within the investigation performed it was found that personal data (first name, last name, address, identity card series and number, personal identification number, telephone, signature) were collected through the filling-in and signature of the online form from that website, through the submission of the form downloaded/filled in/signed by post, as well as through the filling in and signature of the forms at the special centres organised by Alianța pentru Unirea Românilor.
This situation led to the processing of the personal data of a significant number of data subjects with the breach of the personal data processing principles provided under Article 5 paragraph (1) letter c) (”data minimisation”) and paragraph (2) of the GDPR (”accountability”).
2. The National Supervisory Authority finalized in February this year another investigation at the controller Partidul Uniunea Salvați România and found the breach of the provisions of Article 32 paragraph (1) letter a) and paragraph (2) of the General Data Protection Regulation.
Therefore, Partidul Uniunea Salvați România was sanctioned with fine in amount of Lei 19,646, the equivalent of EUR 4,000.
The investigation was started following the submission by the controller of a personal data security breach notification based on the General Data Protection Regulation.
The breach of the data security took place following the loss of the security and integrity of the data stored within a server of the controller that was hosted on an application within which a phishing cyber attack took place.
Within the investigation it was found that the controller did not implement adequate technical and organizational measures in order to ensure a corresponding level of security such as encryption/pseudonymization of the personal data stored on that application, which led to the unauthorized access of personal data such as first name, last name, personal identification code, e-mail, telephone number, data regarding the political affiliation.
Also, the corrective measure to ensure the conformity with the GDPR of the personal data processing operations, through the implementation of some adequate technical and organizational measures, following the evaluation on the risk for the persons’ rights and freedoms, inclusively of the working procedures regarding the personal data protection was applied.
Legal and Communication Department
A.N.S.P.D.C.P.