The National Supervisory Authority for Personal Data Processing has completed two investigations at two operators and found a breach of Article 32(2) of the GDPR. (1) (b) and Art. 32 (1) (b). (2) and (3) of Art. 32 (2) and (3) of the Directive. (4) of Regulation (EU) 2016/679.
Thus:
1.The operator MEDICOVER SRL was fined 4,970.30 lei (equivalent to 1,000 EUR).
The investigation was initiated following the transmission by the operator of the personal data breach notification.
The data breach occurred as a result of the unauthorised disclosure of personal data from a medical consultation report to another patient for whom it was not intended.
The investigation revealed that the controller did not take measures to ensure that any natural person acting under its authority who has access to personal data only processes them at the request of the controller and did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, including the ability to ensure the confidentiality and integrity of the processing systems and services.
As such, this situation led to the loss of confidentiality of personal data processed, through unauthorised disclosure and unauthorised access to personal data (such as: name, surname, date of birth, age, reason for visit, personal pathological history, diagnosis, conclusions and recommendations, prescribed medication, hospitalisation, referrals for tests/consultations) of a patient, by handing over the medical report of the consultation to another patient.
- The operator IRIDEX GROUP SALUBRIZARE SRL was fined 9,951.80 lei (equivalent to 2,000 EUR).
The investigation was initiated following a complaint received from an individual.
The breach of data security occurred as a result of the transmission of a collective electronic message to the e-mail addresses of the company’s customers, which were visible to all.
During the course of the investigation, it emerged that the controller had not taken measures to ensure that any natural person acting under its authority and having access to personal data only processed them at its request, and had not implemented adequate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, including the ability to ensure the confidentiality, integrity, availability and continued resilience of the processing systems and services.
https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_09_05_2024&lang=ro