The National Supervisory Authority for Personal Data Processing has completed two investigations at two operators and has found a breach of Article 32 para. (1) (b) and Art. 32 para. (2) and (3) of Art. (4) of Regulation (EU) 2016/679.
The investigations were initiated following the operators’ submission of the personal data breach notification under Article 33 of Regulation (EU) 2016/679.
Thus:
1.The operator CENTRUL MEDICAL UNIREA SRL has been sanctioned with a fine of 24,856 lei (equivalent to 5,000 EUR).
The data breach occurred as a result of unauthorised disclosure of personal data on the internet.
During the investigation, it was found that personal data (such as: name and surname, CNP, date of birth; age, gender, work or personal telephone number, work or personal e-mail address, information on correspondence address, profession, position, timekeeping, targets and bonuses) of a significant number of data subjects (patients and employees) were unauthorisedly disclosed.
As a result, the investigation revealed that the controller did not implement adequate technical and organisational measures to ensure a level of confidentiality and security appropriate to the risk of the processing and did not take sufficient measures to ensure that any natural person acting under the authority of the controller and having access to personal data only processes them at his request.
At the same time, pursuant to Article 58 para. (2) lit. d) of Regulation (EU) 2016/679, the corrective measure of reviewing and updating the technical and organisational measures implemented following the assessment of the risk to the rights and freedoms of individuals, including with regard to the implementation of a process for the regular testing, evaluation and assessment of the effectiveness of the technical and organisational measures to ensure the security of the processing carried out, was also ordered against the controller Centrul Medical Unirea SRL.
- The operator Genpact Romania SRL was fined 14,913.6 lei (equivalent to 3,000 EUR).
The data breach occurred as a result of the transmission of a file containing staff recruitment data to an unauthorised e-mail address of an employee.
In the course of the investigation, it emerged that no measures were taken to ensure that any natural person acting under the authority of the controller and having access to personal data does not process them unless requested to do so. It was also found that the controller did not implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of the processing including the ability to ensure the confidentiality, integrity, availability and continued resilience of the processing systems and services.
As such, this breach led to unauthorised access and unauthorised disclosure of personal data (such as: first and last name, telephone number, e-mail address) of some data subjects.
Also, under Article 58 para. (2) lit. d) of Regulation (EU) 2016/679, it was also ordered against the operator Genpact Romania SRL the corrective measure of reviewing and updating the technical and organizational measures implemented, including the working procedures relating to the protection of personal data, the implementation and transmission to the responsible persons of instructions on prohibiting the use of personal equipment of employees in various activities not authorized by the company and measures on training persons acting under its authority, on their obligations under the provisions of Regulation (EU) 2016/679, including on the risks and consequences of disclosure of personal data.
https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_08.05.2024&lang=ro