The National Supervisory Authority for Personal Data Processing completed, in January 2025, an investigation at the operator Medstar SRL and found a violation of the provisions of Articles 32, 33 and 34 of Regulation (EU) 2016/679 (GDPR).

As such, the operator was sanctioned with:

• fine in the amount of 9,946.2 Lei (equivalent to 2,000 Euros) for violating the provisions of Article 32 of Regulation (EU) 2016/679.
• warning for breach of the provisions of art. 33 and art. 34 of Regulation (EU) 2016/679.

The investigation was initiated following a complaint from a data subject, who claimed that the operator where he had his medical tests performed, the Medstar clinic, had disclosed his personal data and that of another data subject.  

During the investigation, it was found that the operator disclosed the health data of the petitioner to another person (patient), and the health data of another patient were transmitted to the petitioner, erroneously and insecurely by e-mail.

Thus, this situation led to the unauthorized disclosure of personal and special data belonging to several data subjects, such as: name, surname, personal identification number, age, gender, locality, mobile phone number, e-mail addresses, medical data from the patient’s history, type of tests performed, name of the doctor who made the recommendation and his specialty, name of the doctor who performed the tests and his specialty, test results, medical recommendation, name of the payer, prescribed treatment.

It was also found that the operator did not adopt sufficient technical and organizational security measures in accordance with Article 32 of the GDPR, adapted to the nature of the personal data that were processed, which led to the unauthorized disclosure of the personal data of some data subjects.

As such, the operator Medstar SRL was fined for violating the provisions of Article 32 of Regulation (EU) 2016/679.

At the same time, since the operator did not notify the data security breach to the National Supervisory Authority for Personal Data Processing nor did it inform the data subjects about the unauthorized disclosure of their personal data, two warnings were issued to it, for violating the provisions of art. 33 and art. 34 of Regulation (EU) 2016/679.

At the same time, the operator was also ordered to take the following  corrective measures :

• to ensure compliance with the GDPR of personal data processing operations, by implementing technical and organizational security measures appropriate to the specifics of the processing and the risks identified, throughout the data processing cycle, in particular in terms of verifying the accuracy of the personal data processed, establishing appropriate rules related to the management of files that can be transmitted using electronic means of communication (remotely), training persons who process data under the authority of the operator, regularly verifying compliance with the instructions sent to them, automating certain processes to reduce the risks of illegal or unauthorized processing of personal data;
• to ensure compliance with the GDPR of personal data processing operations, by adopting internal measures necessary for the rapid detection, management and reporting of personal data security breaches, regardless of whether or not they require notification of the supervisory authority and/or data subjects, as well as appropriate and regular training of persons who process data under the authority of the controller, in this context;
• to inform the persons to whom personal data has been disclosed about the data security breach, by bringing to their attention the information provided for in Article 34 of the GDPR;
• to ensure compliance with the GDPR of personal data processing operations, by requesting the persons to whom the data has been disclosed (data subjects) not to use and to delete the personal data of third parties that have been disclosed to them in an unauthorized manner.

https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_20_02_2025&lang=ro