Home » Comunicat_Presa_22_09_2022
 Română | English | Francais

22.09.2022

A new sanction for the GDPR infringement

 

The National Supervisory Authority finalized in May 2022 an investigation at the controller Bitfactor SRL and found the breach of the provisions of Article 25 paragraph (1) and Article 32 paragraph (1) and (2) of the General Data Protection Regulation.

The controller Bitfactor SRL was sanctioned with fine in amount of Lei 9,852.8 (the equivalent of EUR 2,000).

The investigation Was started following the submission by the controller of a personal data security breach notification based on the General Data Protection Regulation.

The breach of the data security took place following a faulty functioning of an application of the controller that was sending marketing communications to the users of it’s website, which led to the breach of the personal data confidentiality of a number of 1,757 data subjects, users of the controller’s website.

Within the investigation it was found that the controller did not implement adequate technical and organizational measures, to continuously protect the personal data of the data subjects, both when determining the processing means and when processing them, intended for efficiently implementing the data protection principles and to integrate the necessary guarantees within the processing, although, according to Article 5 letter f) of the General Data Protection Regulation, the controller had the obligation to observe the integrity and confidentiality principle.

In this context, we underline that Article 25 paragraph (1) of the General Data protection Regulation provides that “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”

Also, Recital 78 of the General Data Protection Regulation provides that “the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.”

Therefore, the controller Bitfactor SRL was sanctioned with fine in amount of Lei 9,852.8 (the equivalent of EUR 2,000) for the breach of the provisions of Article 25 paragraph (1) and Article 32 paragraph (1) letters b), d) and paragraph (2) of the General Data Protection Regulation.

 

Legal and Communication Department

A.N.S.P.D.C.P.