SANCTIONS APPLIED BY ANSPDCP IN AUGUST 2023
By Mugurel Olariu, RPD protectie date
According to the News section of the website of the National Supervisory Authority*1, in August several investigations were completed and applied to some operators – legal and natural persons, both the sanction fines as well as corrective measures.
We make it clear that the fines applied have amounts in lei, with an equivalent in EURO between two thousand and seventy thousand euro.
We also mention the important fact that for the four cases presented below, the investigations were started as a result of complaints from the persons concerned – in three cases, as well as as a result of a notification of a data security breach.
In essence, the circumstances of the cases, sanctions and corrective measures applied are as follows:
A. Date of 03.08.2023:
Controller: MED LIFE SA.
GDPR provisions violated: art. 12 para. (4) (Transparency of information, communications and ways of exercising the rights of the data subject) and of art. 15 para. (3) (Right of access by the data subject).
Sanction: fine in the amount of 9,839.6 lei, the equivalent of 2,000 EURO.
Notification mode: complaint claiming that the operator violated the petitioner’s right of access, refusing to communicate certain video recordings from the reception of one of his hospitals.
Corrective measure: to respond to the petitioner’s requests, by communicating the copy of his personal data provided by art. 15 para. (3) of the GDPR, respectively of the requested video recordings, for the time interval in which the petitioner was in the premises of the operator’s hospital, respecting, as the case may be, the provisions of art. 15 para. (4) of the GDPR.
B. Date of 21.08.2023:
Controller: UIPATH SRL.
GDPR provisions violated: art. 25 (Data protection by design and by default) and art. 32 (Security of processing).
Sanction: fine in the amount of 346,598 lei, the equivalent of 70,000 EURO.
Notification mode: transmission by the controller a notification of a personal data breach.
Corrective measure: to implement a procedured and applied mechanism at regular time intervals, regarding the testing, evaluation and periodic assessment of the effectiveness of the measures adopted, taking into account the risk presented by the processing, in order to ensure an appropriate level of security and to avoid in the future of similar security incidents.
SANCTIONS APPLIED BY ANSPDCP IN AUGUST 2023
C. Date of 23.08.2023:
Controller: BODY LINE SRL.
GDPR provisions violated: art. 5 (Principles relating to processing of personal data), art. 6 (Lawfulness of processing), art. 9 (Processing of special categories of personal data), art. 17 (Right to erasure (“right to be forgotten”)) and art. 32 para. (1) and (2) (Security of processing).
Sanction: fines totaling 49,322 lei, the equivalent of 10,000 EURO.
Notification mode: complaint in which the operator disclosed the personal data of a petitioner (customer of the operator) by posting an audio-video recording on the operator’s social media pages.
Corrective measures:
• to ensure compliance with the GDPR of personal data processing operations, including by developing written procedures, so that the personal data of the persons concerned are processed in strict compliance with the legal provisions on the protection of personal data, by avoiding the collection and/or disclosure illegal/excessive/unauthorized use of their personal data;
• to comply with the request to delete the personal data of the petitioner, related to the posts on the social media pages of the operator;
• to ensure compliance with the GDPR of personal data processing operations, by implementing appropriate technical and organizational measures, especially in the aspect of training the persons who process data under its authority (employees or collaborators), by regularly organizing training sessions with these, in relation to their obligations regarding the processing of personal data through the video surveillance system, establishing the conditions under which images or audio-video recordings can be accessed by a small number of people, based on individual credentials, of periodic verification of access to image records, as well as rapid detection, management and reporting of personal data security breaches.
D. Date of 31.08.2023:
Controller: natural person.
GDPR provisions violated: art. 5 (Principles relating to processing of personal data), art. 6 para. (1) lit. a) (Lawfulness of processing) and art. 9 para. (2) lit. a) (Processing of special categories of personal data).
Sanction: fine in the amount of 9,919.2 lei, the equivalent of 2,000 EURO.
Notification mode: complaint by which it was established that the sanctioned operator (doctor) filmed, with his personal phone, a patient of the hospital where he works, without her consent and later posted the footage on his Facebook page. The audio-video recording led to the disclosure of the patient’s personal data, such as image, voice, name, surname and state of health.
Corrective measure: to ensure compliance with GDPR of personal data processing operations, so that patients’ personal data are processed in strict compliance with the legal provisions regarding the provision of medical services and the protection of personal data, by avoiding illegal collection and/or disclosure/ excessive/unauthorized use of their personal data.”.
–––––––––––––––––––––––––––
1. https://www.dataprotection.ro/?page=allnews