Select your nation of interest

Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
ROMANIAN SUPERVISORY AUTHORITY: Sanction for non-compliance with GDPR

ROMANIAN SUPERVISORY AUTHORITY: Sanction for non-compliance with GDPR

The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the operator RED&WHITE 2022 MANAGEMENT SA and found a violation of the provisions of art. 28 para. (3) letter a) of Regulation (EU) 2016/679.

For the acts committed, the operator was fined 24,854.50 lei (the equivalent of 5,000 euros).

The investigation into the sanctioned operator was initiated following issues notified to the Authority by the operator, respectively by an authorized representative of the operator, regarding a possible violation of the provisions of Regulation (EU) 2016/679 in the context of a crowdfunding campaign (microfinancing from individuals).

The investigation found that the operator, as the majority shareholder of a football team, sent an email regarding the possibility of financing the team by its supporters, to a database consisting of a very large number of emails of data subjects who had purchased tickets to the team’s matches. The email was sent through an authorized person of the operator, and the database used contained personal data (surname, first name, email address) of both the club’s supporters (supporters) and other individuals.

In this context, the operator did not provide evidence of the development of documented instructions for its processor regarding the category (supporters) of data subjects from the database used, to whom the processor sent the email, designed and approved by the operator, about the funding campaign.

It is worth noting that Regulation (EU) 2016/679 provides in Article 28(3) that “Processing by a processor shall be governed by a contract or other legal act under Union or national law to which the processor is bound in relation to the controller and which sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller. (…)” .

In addition, the aforementioned article regulates, among other things, that the respective contract or legal act specifically provides that the person empowered by the operator processes personal data only on the basis of ” documented instructions from the operator “.  

https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_30_01_2025&lang=ro

Redazione
30 January 2025

Recommended to you

Apple: 0-day detected in WebKit rendering engine (AL02/250312/CSIRT-ITA)

12 March, 2025

Adobe: Security Updates (AL03/250312/CSIRT-ITA

12 March, 2025

Joomla! Updates (AL04/250312/CSIRT-ITA)

12 March, 2025

HONG KONG SUPERVISORY AUTHORITY: Publishes Investigation Findingson the Data Breach Incident of the Companies...

12 March, 2025

Zoom Vulnerability (AL05/250312/CSIRT-ITA)

12 March, 2025

Laravel: Public PoC for CVE-2024-13919 Exploitation (AL06/250312/CSIRT-ITA)

12 March, 2025

Resolved vulnerabilities in Cisco products (AL07/250312/CSIRT-ITA)

12 March, 2025

ROMANIAN SUPERVISORY AUTHORITY: Sanction for violation of the GDPR

12 March, 2025

Schneider Electric: Vulnerabilities discovered in various products (AL03/250311/CSIRT-ITA)

11 March, 2025

Siemens Product Updates (AL04/250311/CSIRT-ITA)

11 March, 2025

Ivanti March Security Update (AL05/250311/CSIRT-ITA)

11 March, 2025

Fixed vulnerabilities in Google Chrome (AL06/250311/CSIRT-ITA)

11 March, 2025

ROMANIAN SUPERVISORY AUTHORITY: Sanction for violation of the GDPR

11 March, 2025

Vulnerabilities discovered in Fortinet products (AL07/250311/CSIRT-ITA)

11 March, 2025

LATVIAN SUPERVISORY AUTHORITY: Can my personal data be transferred to extrajudicial debt collection or...

11 March, 2025

CROATIAN SUPERVISORY AUTHORITY: A new coordinated action by the EDPB has begun: the right...

11 March, 2025

CISCO Product Updates (AL01/230112/CSIRT-ITA)

10 March, 2025

HONG KONG SUPERVISORY AUTHORITY: A Female Arrested for Suspected Doxxing Arising from Online Shopping Dispute

10 March, 2025

Vulnerability in QNAP Products (AL01/250310/CSIRT-ITA)

10 March, 2025

ICELANDIC SUPERVISORY AUTHORITY: Information obligation for automated decision-making

7 March, 2025

Advanced Research