The National Supervisory Authority completed an investigation at the operator Veranda Obor SA and found a violation of the provisions of art. 32 para. (1) lit. b) and art. 32 para. (2) of Regulation (EU) 2016/679 related to the provisions of art. 83 para. (4) lit. a) from the same European act.
As such, the operator was fined 1 4,823.60 lei (equivalent to 3,000 Euro).
The investigation was started as a result of a notification regarding a possible violation of Regulation (EU) 2016/679.
Thus, on the website belonging to Veranda Obor SA, personal data (such as: name, surname, e-mail) of a significant number of data subjects who participated in a raffle organized by the shopping center were displayed.
During the investigation, it was found that the operator did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk, including the ability to ensure the confidentiality of processing systems and services. This incident led to the unauthorized disclosure or unauthorized access to personal data processed and stored by displaying them on the Veranda Obor SA website, although, according to art. 5 para. (1) lit. f) of the GDPR, had the obligation to process personal data in a way that ensures their adequate security, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures (“privacy”).
https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_11.12.2023&lang=ro