25.000 lei fine ANSPDCP for GDPR violation

In February of this year, the National Supervisory Authority completed two investigations into two operators who violated the provisions of Art. 32 para. (1) lit. (2) of the General Data Protection Regulation (GDPR).

Following the breach, the operators were fined 11,023.42 lei and 14,697.90 lei, equivalent to 2,250 EUR and 3,000 EUR respectively. The investigations were triggered after operators reported breaches of personal data security under the GDPR.

During the investigations, it was discovered that the data breaches occurred due to ransomware attacks that resulted in unauthorized access and loss of integrity and availability of personal data, such as identification data, ID card data, addresses, phone numbers and account statements.

Although the operators took measures to remedy the situation, in accordance with the criteria for individualization of sanctions set out in Article 83 of the GDPR, they were fined for breach of Article 32 para. (1) lit. (2) of the GDPR, because they did not implement adequate technical and organizational measures to ensure an appropriate level of security in data processing, including the ability to ensure the confidentiality, integrity, availability and continuous resilience of processing systems and services.

What data controllers need to know about the provisions of Article 32 of the GDPR

  • Article 32 of the General Data Protection Regulation (GDPR) sets out the obligations of controllers to protect personal data against loss, destruction or unauthorized access.
  • Specifically, the provisions of Art. 32 para. (1) lit. (2) of the GDPR refer to the implementation of appropriate technical and organizational measures to ensure an adequate level of security in the processing of personal data.
  • Article 32 para. (1)(b) provides that controllers must take measures to ensure the confidentiality, integrity and continued availability of data processing systems and services. This may be achieved by implementing appropriate security procedures, such as data encryption or the use of passwords or two-factor authentication.
  • Article 32 para. (1) lit. (c) requires operators to take measures to ensure rapid recoverability and availability of and access to data in the event of security incidents. These measures could include, for example, making regular backups of data, having a business continuity plan in place, and regular testing to verify recoverability.
  • Article 32 para. (2) states that controllers must regularly assess the risks associated with the processing of personal data and implement appropriate technical and organizational measures to manage them. This should be done taking into account the nature of the data processed, the amount, the context and purpose of the processing and the potential threats to the rights and freedoms of data subjects.

3 reasons why we recommend you to hire a data protection specialist for your company

  1. Compliance with legislation – One of the most important reasons for needing personal data protection advice is to ensure compliance with applicable legislation, in particular the European Union’s General Data Protection Regulation (GDPR). Consulting can help your company understand the legal requirements and implement appropriate measures to comply.
  2. Risk mitigation – The company may be exposed to significant risks if it does not adequately protect personal data. Personal data protection consultancy can help identify and mitigate these risks by assessing processes and implementing appropriate data security measures, which can protect the company’s reputation and value.
  3. Improved efficiency – Data privacy consulting can help a company improve efficiency and productivity by identifying and eliminating unnecessary processes or implementing new technologies that enable more efficient and secure data management. This can lead to an increase in operational efficiency and company competitiveness.

The news about the fine can be read here