Data Protection Newsletter

√     Several fines applied by the Romanian Data Protection Authority

The Romanian Data Protection Authority (RDPA) has published several press releases related to the fines applied for the infringement of the data protection provisions. Below, a short summary:

1.     EUR 13,000 applied to a telecommunication services provider

RDPA concluded that the company failed to implement appropriate technical and organisational measures to ensure an adequate security level. This generated an unauthorised disclosure of personal data (client ID, name, surname, national identification number, date of birth, sex, phone number, e-mail or address) belonging to 99,210 individuals.

2.     EUR 2,000 to a company providing healthcare services

The investigation started following several data breaches notified by the company to RDPA. The authority concluded that the data controller failed to implement appropriate technical and organisational measures in order to ensure an adequate security level, thus generating an unauthorised disclosure to personal data, such as name, surname, national identification number, number and series of the identity card, address, phone number and e-mail, together with information related to the individuals’ health status.

3.     EUR 2,000 to a banking institution

Following a complaint submitted by an individual, RDPA concluded that the company failed to comply with the requirements related to the transmission of unrequested communications. The company was not able to prove that the individual consented to the transmission of such communications through short message services (SMS), although the individual repeatedly exercised its right to object.

4.     EUR 500 to an individual acting as a controller

The individual posted on a social network a list containing personal data (name, surname, signature, citizenship, birth date, address, number and series of the identity card, as well as political opinions) belonging to ten (10) individuals. RDPA concluded that the individual acted as a controller and thus failed to comply with the requirements of appropriate technical and organisational measures to ensure an adequate level of security of the processed personal data.

 

*This ePublication is provided by Radu Taracila Padurari Retevoescu SCA and is for information purposes only. It does not constitute legal advice or an offer for legal services. The distribution of this document does not create an attorney−client relationship. If you require advice on any of the matters raised in this document, please call your usual contact at Radu Taracila Padurari Retevoescu SCA at +40 31 405 7777.