DATA PROTECTION IN NOVEMBER 2021
By Mugurel Olariu, RPD protectie date
Data protection authorities, at European level – EDPB and national level – ANSPDCP, continued to monitor and clarify the application of the GDPR in November, as follows:
The EDPB – European Data Protection Board held a plenary meeting on 18 November, adopting several instruments, including: Guideline No. 5/2021 on the interplay between Article 3 and Chapter V of the GDPR and the Internal Guidance on the practical implementation of amicable settlements.
Please note that Guideline 5/2021 aims to clarify the interaction between the territorial scope (art. 3) and the provisions on international transfers in Chapter V of the GDPR, being subject to public consultation until the end of January 2022. This guideline aims to help controllers and processors EU to identify whether a processing operation constitutes an international transfer and to provide a common understanding of the concept of international transfers.
The guideline specifies three cumulative criteria that qualify a processing as a transfer, as follows:
✔ the data exporter (an controller or an processor) is subject to GDPR for the given processing;
✔ the data exporter transmits or makes available the personal data to the data importer (other controller, joint controllers or processor);
✔ the data importer is in a third country or is an international organization.
The processing will be considered a transfer, regardless of whether the importer established in a third country is already subject to the GDPR according to art. 3 GDPR. However, the EDPB considers that the collection of data directly from EU data subjects on his own initiative does not constitute a transfer.
This Guideline No. 5/2021, together with Guideline 4/2021 on codes of conduct as tools for transfers, are able to provide a consistent framework for the application of the Code of Conduct developed by the five professional associations in the industry, which is still in project phase. In the next period, we will ask the operators, through the professional associations, a series of data through the answers to a Questionnaire in order to update the form of the Code of Conduct.
The NSAPPD – National Supervisory Authority for the Processing of Personal Data published on its website a series of sanctioning and / or corrective measures taken in November. For preventive purposes, for controllers and processors from industry, we briefly present the essential data subject to the authority’s investigations, as follows:
01.11.2021: – at the controller IKEA ROMANIA SA, it was found the violation of the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation, being sanctioned with a fine amounting to 4948.80 lei (equivalent to 1,000 EURO). The investigation was initiated following the transmission by IKEA ROMANIA SA to the National Authority for the Supervision of Personal Data Processing of a notification of personal data breach. Thus, IKEA ROMANIA SA organized a drawing contest in which the children of IKEA Family members participated. The participants uploaded their own drawings, together with the participation forms, to the online platform dedicated to the members, which contained their personal data but also that of the parents / legal guardians, including their consent. In order to vote for the best drawing, the children’s drawings were mistakenly published on the online platform, together with the personal data contained in the participation forms. Following the investigation, it was found that the security incident led to the unauthorized disclosure of personal data of IKEA Family members (name, surname and age of minors, name, surname, city, country, e-mail, membership number IKEA Family and the handwritten signature of the parent / legal guardian), on the online platform dedicated to IKEA Family members in Romania, accessible only to them, for about 40 hours, affecting a number of 114 individuals (half of them minors).
– to the controller S.P.E.E.H. Hidroelectrica S.A. it was found that the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation (GDPR), as well as the violation of the provisions of art. 5 para. (1) lit. a) and of art. 6 para. (1) of the GDPR. The S.P.E.E.H. Hidroelectrica S.A. was fined as follows:
✔ fine in the amount of 24,739.50 lei, the equivalent of 5,000 EURO, for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the GDPR;
✔ warning, for violating the provisions of art. 5 para. (1) lit. a) and of art. 6 para. (1) of the GDPR.
The national supervisory authority found that the operator did not implement adequate technical and organizational measures in order to ensure a level of security appropriate to the risk presented by the processing. This situation led to the access or illicit disclosure to erroneous recipients of the personal data of a number of 325 individuals. At the same time, the following corrective measures were applied to the operator:
✔ reviewing and updating the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including working procedures on personal data protection, as well as the implementation of measures on regular training of persons acting under its authority;
✔ Identify and implement measures to ensure that the personal data processed are accurate and up to date, taking into account the purposes for which they are processed, including the record of the exercise by data subjects of the right to the deletion of personal data.
11.11.2021: – to the controller VODAFONE Romania S.A. it was found that the provisions of art. 32 para. (1) lit. b) and para. (4) of the General Data Protection Regulation (GDPR), as well as the violation of the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector. The operator of VODAFONE Romania S.A. was fined as follows:
✔ fine in the amount of 7,421.25 lei, the equivalent of 1,500 EURO, for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the GDPR;
✔ fine in the amount of 7,000 lei for violating the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. 506/2004.
The national supervisory authority has found that the controller has not implemented adequate technical and organizational measures to ensure that any natural person acting under the authority of the controller or the person authorized by the controller and who has access to personal data only processes them upon request. unless this obligation rests with Union or national law and with a view to ensuring a level of security appropriate to the risk of the processing, including the ability to ensure the confidentiality of data. This situation has led to unauthorized disclosure and / or unauthorized access to the personal data of a number of 6 individuals, between 16 November 2020 – 18 May 2021 (transmission of service contracts to erroneous e-mail addresses, unauthorized access of the employees of the operator to the personal data of Vodafone customers without any requests from them). Thus, the operator processed the personal data of 64 individuals by unauthorized access to their data by the operator’s employees between November 4, 2020 – June 22, 2021.
26.11.2021: – at the controller Valoris Center S.R.L. the violation of the provisions of art. 29, art. 32 para. (1) lit. b) and para. (4) of the General Data Protection Regulation. As such, the operator was sanctioned with a fine of 9,898.00 lei (equivalent to 2,000 EURO). The investigation was initiated as a result of a notification of personal data breach which was transmitted by an operator, based on the provisions of art. 33 of the General Data Protection Regulation. Violation of the security of personal data processing was due to the fact that a call center employee of Valoris Center S.R.L. (operator authorized person) erroneously attached to an operator’s client an excel file containing the data of that operator’s customers who have Internet Banking service. The investigation found that this breach led to unauthorized disclosure or unauthorized access to certain personal data, such as email address, username, user CNP, phone number, customer name, customer code, PIN the client, being affected by the incident a number of 11169 individuals concerned.
