The National Center for Personal Data Protection, for information and application purposes, communicates about a series of fines applied by Romanian National Supervisory Authority for Personal Data Processing for violating the provisions of General Data Protection Regulation (GDPR).
– An economic agent was fined with 15 000 EUR for violating the security of personal data. On the Facebook page on which the controller conducted an online contest to attract customers participating in the car service, was posted a document with a screenshot of the source code of the website which included the access password to the forms completed by the contest participants.
This situation created the possibility of viewing and unauthorized access to personal data of a number of 436 customers of the controller, through its website and the unauthorized disclosure of such data, contrary to the provisions of art. 32 of GDPR.
– At the same time, a banking institution was fined with 5 000 EUR for collecting copies of customers’ ID card through an employee’s personal phone.
The investigation was initiated following a complaint and during its conduct, the Romanian National Supervisory Authority for Personal Data Processing found that the banking institution did not implement technical and organizational measures to ensure an adequate level of security appropriate to the risk of processing. The controller did not take steps to ensure that any natural person acting under his authority who has access to personal data does not process them except on instructions from the controller, unless this obligation is required by Union or Member State law.
Moreover, the banking institution should have implemented some technical measures so as to ensure the confidentiality of personal data and strictly authorized access to data transmitted by its customers.
The non-compliance with the requirements aforementioned, has led to the infringement of GDPR and the sanctioning of the controller concerned with 5 000 EUR.