The National Supervisory Authority for Personal Data Processing completed an investigation in 2024 at the operator Centrul Medical Unirea SRL and found a violation of the provisions of art. 24 and art. 32 of Regulation (EU) 2016/679 (GDPR) .
As such, the operator was fined 9,953 Lei (equivalent to 2,000 Euros).
The investigation was initiated following a complaint regarding a possible violation of Regulation (EU) 2016/679 on the security of personal data.
The petitioner complained that, at a medical workstation for collecting biological samples of the operator, the access credentials to his e-mail account were publicly exposed, by being displayed on the computer monitor.
Consequently, it was found that the operator did not adopt appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, including the ability to ensure the confidentiality of the personal data of some data subjects, which allowed unauthorized access to them, at least at the date of the incident complaint.
As such, this act represents a violation of the provisions of Article 32 of Regulation (EU) 2016/679, the operator being sanctioned with a fine.
At the same time, pursuant to art. 58 para. (2) letter d) of the GDPR, the following corrective measures were ordered:
- training of persons acting under the authority of the controller, regarding their obligations under the provisions of the GDPR, including regarding the risks and consequences involved in the processing of personal data.
- adopting an updated password policy that includes rules regarding the confidentiality of user credentials.
The operator paid the established misdemeanor fine.
https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_13.01.2025&lang=ro