The National Supervisory Authority has ended in February 2021 an investigation at the operator TELEKOM ROMANIA MOBILE COMMUNICATIONS SA and has detected the breach of what is mentioned into the article 32, paragraphs 1 and 2 of the General Data Protection Regulation and a breach of what is required into the article 3, paragraphs 1 and 3, letter a) and b) of the Law n. 506/2004, changed and integrated.
For this reason, the operator TELEKOM ROMANIA MOBILE COMMUNICATIONS SA has been sanctioned for minor crimes:
- with a sanction of 48.748,00 LEI (10.000 EUR) for having breached the article 32 paragraphs 1 and 2 of the General Data Protection Regulation;
- with a financial penalty of 15.000 lei, for having made an infraction of the the article 3, paragraphs 1 and 3, letter a) and b) of the Law n. 506/2004.
By the investigation arises that the operator has not implemented adequate technical or organization measures in order to guarantee an adequate security level to the risks of the processing, which has bring to a non-authorized sharing of personal data like: ID client, client code, name and surname, CNP, date of birth, sex, telephone number, email, address (nation, city, street), the amount of debts connected with the client code of a number of 99.210 data subjects/clients. For this reason their billing addresses were wrongly insert into the bank of data of each client, sent to a contractual partner based on a contract of debt sale, which has bring to the send of wrong addresses of notification sent to clients.
It has also been found that the controller has not implemented adequate technical and organizational measures to ensure the security of the processing of personal data which are likely to protect the personal data stored or transmitted against unlawful storage, processing, access or disclosure, which led to unauthorized access to personal data on Myaccount accounts (account holder name; date of birth; telephone numbers used; home address; e-mail address; subscriber code; contracted services; Active on-account extra-options; history of simple invoices) of 413 persons targeted/Telekom Romania customers. We stress that the controller was obliged to ensure that personal data can only be accessed by authorized persons for the purposes specified by law, in breach of Article 3(1) and (3)(a) and (b). Of Act No 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, amended and supplemented.
The provisions of Article 3, paragraphs 1 and 3 letters (a) and (b) of Law N. 506/2004, as amended and supplemented, provide for the following:
“(1) the provider of a publicly available electronic communications service is required to take appropriate technical and organizational measures to ensure the security of the processing of personal data. Where necessary, the provider of the publicly available electronic communications service shall take such measures together with the provider of the public electronic communications network.’;
‘(3) without prejudice to the provisions of Law No 677/2001, as amended and supplemented thereafter, the measures adopted pursuant to paragraph 1 shall comply at least with the following conditions:
- a) ensure that personal data can only be accessed by authorized persons for purposes authorized by law;
- b) to protect stored or transmitted personal data against accidental or unlawful destruction or accidental loss or damage and against unlawful storage, processing, access or disclosure.”
Corrective measures were also taken by the operator, consisting of:
- review and update the technical and organizational measures implemented following the assessment of the risk to the rights and freedoms of individuals, including procedures relating to electronic communications;
- Implement a process for the periodic testing, assessment and assessment of the effectiveness of technical and organizational measures to ensure the security of processing as specified in the GDPR.
In this context, it is recalled that Article V(2) of Law No 129/2018 states that “all references to Law No 677/2001, as amended and supplemented subsequently, in the normative acts shall be read as references to the General data Protection Regulation and the legislation implementing it”.