24.11.2022
Sanction for the GDPR infringement
The National Supervisory Authority finalized in November 2022 an investigation at the controller Medicover S.R.L. and found the breach of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) from the General Data Protection Regulation.
Therefore, the controller was sanctioned with fine in amount of Lei 4,901 (the equivalent of EUR 1,000).
The investigation was started following a data security breach notification that was submitted by Medicover S.R.L. based on the provisions of Article 33 from the General Data Protection Regulation.
Therefore, within the investigation it was found that the breach of the data protection security took place following the fact that an e-mail containing addenda of the medical services agreements that pertained to other clients of the controller were provided to a client.
Therefore, it resulted that this breach led to the loss of the confidentiality of the processed data through the unauthorized disclosure and access to certain personal data, such as: first name and last name, PIN, address and signature.
The National Supervisory Authority found that Medicover S.R.L. did not implement appropriate technical and organizational measures in order to ensure a confidentiality and security level corresponding to the risk of the processing, according to the provisions of Article 32 from the General Data Protection Regulation.
Legal and Communication Department
A.N.S.P.D.C.P.