The National Supervisory Authority has concluded an investigation in February with the operator S.C. Medicover S.R.L. and has detected the breach of the disposals of the article 32, paragraph 1, letter b) and paragraphs 2 and 4 of the General Data Protection Regulation.
The operator of the S.C. Medicover S.R.L. has been fined with a sanction of 9.749,6 lei (2.000 euros).
The investigation started after the transmission by the data controller of subsequent notifications of personal data breaches, which have reported the non authorized sharing of personal data as: name and surname, CNP, serial number and IC number, IC address, mailing address, contact phone and email, i.e. health name and data, transmitted to natural persons other than recipients, at the email address or postal address.
After the investigation, the Supervisory Authority has noticed that the data controller has not implemented the adequate technical and organizational measures in order to guarantee that each natural person, who is acting under the data controller’s authority, has the access to personal data, this has led to the non authorized sharing of personal data with natural persons different with the real recipients, the email address or the postal address.
The operator was also charged of the following corrective measures:
- revising and updating all the technical and organizational measures implemented after the risk assessment for rights and freedoms of individuals, including working procedures related to personal data protection. As well as the implementation of measures about the regular training of people who are acting under its authority, regarding their obligations according to the GDPR disposals, including risks connected with personal data processing, by keeping in mind the specific nature of the activity including procedures of personal data protection and the training of the staff;
- identifying and implementing measures in order to guarantee that personal data processed are accurate and updated depending on the purposes for which they are processed and that inaccurate personal data are deleted or rectified without undue delay (for example, a mechanisms in order to verify the duration of the email address at the time of the collection).