The National Supervisory Authority completed an investigation at the operator Proleasing Motors SRL on 23.06.2020 and found that the provisions of Article 5 of the Code had been infringed. Article 32(2) shall be replaced by the following: (1) and (2) of the General Data Protection Regulation.
Operator Proleasing Motors SRL was penalized with a fine of 72,642 lei, equivalent to 15,000 euros.
The investigation was initiated following the transmission by the controller of a notification of the personal data breach by filling in the specific form established under the General Data Protection Regulation.
The breach of security consisted in the fact that, on the Facebook page on which the operator held an online competition to attract participating customers in the car service, a document was posted with a screenshot of the source code of the website which included the password for access to the forms completed by the participants in the competition.
This situation has led to the unauthorized viewing and access to the personal data of 436 of the operator’s customers, on the Proleasing Motors SRL website, and to the unauthorised disclosure of such data, contrary to the obligations laid down in Article 5 of the Code. 32 of the General Data Protection Regulation.
As such, the penalty was imposed on the controller as a result of the fact that he did not implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of processing for the rights and freedoms of natural persons, generated in particular, by accident or illegally, by the destruction, loss, alteration, unauthorised disclosure of personal data transmitted, stored or otherwise processed or unauthorised access to them.
The controller was also subject to the corrective measure of reviewing and updating the technical and organisational measures implemented as a result of the risk assessment for the rights and freedoms of persons, including procedures relating to electronic communications, so as to avoid similar incidents of unauthorised disclosure of the personal data processed, as referred to in Article 4(1) of Regulation (EC) No 1493/1999. Article 58(1) shall be replaced by the following: Article 2(2)(b) shall be replaced by the following (d) of the General Data Protection Regulation.
At the same time, I would point out that, according to recital 75 of the General Data Protection Regulation, ‘The risk to the rights and freedoms of natural persons, with varying degrees of likelihood of materialisation and seriousness, may be the result of processing of personal data which could give rise to physical, material or moral damage, in particular in cases where: processing may lead to discrimination , identity theft or fraud, financial loss, reputational compromise, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation or any other significant disadvantage of an economic or social nature; data subjects could be deprived of their rights and freedoms or prevented from exercising control over their personal data; processed personal data are data revealing racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership; genetic data, health data or data on sexual life or criminal convictions and related offences or security measures are processed; aspects of a personal nature are assessed, in particular the analysis or forecasting of aspects of performance at work, economic situation, health status, personal preferences or interests, reliability or behaviour, location or travel, in order to create or use personal profiles; personal data of vulnerable persons, in particular children, are processed; or processing involves a large amount of personal data and affects a large number of data subjects.