Administrative fine of 70,000 EURO imposed by the Romanian National Supervisory Authority for Personal Data Processing on UiPath SRL for violation of Articles 25 and 32 of the GDPR

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of 70,000 euro imposed by the Romanian National Supervisory Authority for the Processing of Personal Data (ANSPDCP) on UiPath SRL for violation of the provisions of Articles 25 and 32 of the General Data Protection Regulation (GDPR).

The investigation was started as a result of the transmission by the controller of personal data breach notification under the GDPR.

Thus, UiPath SRL notified a violation of the confidentiality of personal data, consisting in the publication of the personal data of a significant number of users of the Academy Platform on a website accessible at a URL address.

During the investigation, the ANSPDCP found that UiPath SRL did not implement adequate technical and organisational measures to ensure that, by default, personal data cannot be accessed, without the intervention of a person, or an unlimited number of people, including the ability to ensure the ongoing confidentiality and resilience of processing systems and services, as well as a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

This fact led to the unauthorised disclosure and access to personal data (user name and surname, the unique identifier of each user, e-mail address, the name of the company where the user is employed, the country and details of the level of knowledge obtained in within the UiPath ACADEMY courses) of about 600,000 users of the Academy Platform belonging to the controller UiPath, for a period of about 10 days.

ANSPDCP considered that this violation of the processing of personal data is likely to bring physical, material or moral harm to the data subjects, such as the loss of control over their personal data or the loss of data confidentiality personal.

Following the investigation, ANSPDCP informed the other supervisory authorities involved, following Article 60 of Regulation (EU) 2016/679, regarding the conclusions resulting from the investigations carried out in this case with cross-border impact and, as well as, the proposed measures.

ANSPDCP considered that UiPath SRL carried out cross-border processing, and that the provisions of Article 60 of Regulation (EU) 679/2016, as well as those of Article 16 (3), (5), (6) and (7) of Law no. 102/2005, republished, which provides for the application of sanctions/corrective measures by decision of the president of ANSPDCP, were applicable.

In this situation, the controller UiPath SRL was sanctioned with a fine of 346,598 lei, the equivalent of 70,000 EURO.

At the same time, pursuant to Article 58 (2) d) of Regulation (EU) 2016/679, the Supervisory Authority ordered the corrective measure against the controller to implement a procedure at regular time intervals, regarding the regular testing, assessing and evaluating the effectiveness of the adopted measures, taking into account the risk presented by the processing, in order to ensure an appropriate level of security and to avoid similar security incidents in the future.

The NCPDP, as the national supervisory authority for the processing of personal data, emphasises the responsibility of personal data controllers to comply with the provisions of the legislative framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.