Home » Comunicat_Presa_24_08_2021
 Română | English | Francais

24/08/2021

Sanction for the infringement of GDPR

 

The National Supervisory Authority finalised in August 2021 an investigation at the controller Actamedica SRL and found the breach of the provisions of Article 12 paragraph (3), Article 15 paragraph (1), Article 28 paragraph (1), Article 32 and Article 33 of the General Data Protection Regulation.

Therefore, the controller Actamedica SRL was sanctioned:

  • with a fine in amount of Lei 9,836.6 lei (the equivalent of EUR 2,000), for the infringement of Article 28 paragraph (1) and Article 32 of the General Data Protection Regulation;
  • with a fine in amount of Lei 4,918.3 (the equivalent of EUR 1,000), for the infringement of Article 33 of the General Data Protection Regulation;
  • with a reprimand, for the infringement of the provisions of Article 12 paragraph (3) and Article 15 paragraph (1) of the General Data Protection Regulation.

The investigation was launched following a complaint alleging that Actamedica SRL from Târgu-Mureș has provided information to a natural person regarding the loss of its biological samples and of an amount of money sent through a courier, the package reaching the recipient damaged. At the request to communicate which personal date have been exposed with this occasion and if ANSPDCP has been notified in relation to this breach, in the answer provided, the controller indicated to the natural personal the contact details of the lawyer of the company and an e-mail address from the courier company to which he shall express his “demands”.

During the investigation launched, the National Supervisory Authority found that Actamedica SRL did not adopt sufficient security measures, according to Article 28 paragraph (1) and Article 32 of GDPR, adapted to the character of the personal data that were subject to the processing, fact that resulted in the occurrence of a security incident. In this context, it was found that the provisions of Article 28 paragraph (1) and Article 32 of the General Data Protection Regulation have not been observed.

Also, the National Supervisory Authority established that the controller did not notify to the National Supervisory Authority the above-mentioned security incident, thus breaching the provisions of Article 33 of the General Data Protection Regulation.

On the same occasion, the National Supervisory Authority acknowledged that Actamedica SRL did not provide proofs from which to result that it has communicated a response on the mail box adress of the data subject in relation to the categories of personal data that have been exposed on the occasion of that incident, in relation to the specific request provided. Therefore, it was found that the provisions of Article 12 paragraph (3) and Article 15 paragraph (1) of the General Data Protection Regulation have not been observed.

Also, the following corrective measures were applied to the controller:

  • the corrective measure to ensure the compliance with the General Data Protection Regulation of the personal data processing operations, by implementing some technical and organizational measures appropriate for the specifics of the processing and identified risks, inclusively as regards the choosing of some processors that present sufficient guarantees for the implementation of appropriate technical and organisational measures, so as the processing observes the requirements provided under the regulation and safeguards the protection of the data subjects’ right;
  • the corrective measure to respond to the request of the data subject regarding the categories of personal data envisaged by the occurrence of the security incident, followed by the communication of the response at the mail address indicated in the request.

Legal and Communication Department

ANSPDCP