Home » Comunicat_30_/_03_/_2021
 Română | English | Francais

30/03/2021

Sanction for the infringement of GDPR

 

The National Supervisory Authority finalised during February 2021 an investigation at TELEKOM ROMÂNIA MOBILE COMMUNICATIONS S.A. and found the breach of the provisions of Article 32 paragraph (1) and paragraph (2) from the General Data Protection Regulation and the breach of the provisions of Article 3 paragraph (1) and paragraph (3) letters a) and b) from Law no. 506/2004, amended and supplemented.

Therefore, the controller TELEKOM ROMÂNIA MOBILE COMMUNICATIONS S.A. was sanctioned:

  • with a fine in amount of Lei 48,748.00 (the equivalent of Eur 10,000) for the breach of Article 32 paragraph (1) and paragraph (2) of the General Data Protection Regulation;
  • with a fine in amount of Lei 15,000, for the offence provided under Article 13 paragraph (1) letter a) from Law no. 506/2004.

Within the investigation carried out it was found that the controller did not implement appropriate technical and organisational measures to ensure a security level corresponding to the processing’s risk, that lead to the unauthorised disclosure and/or unauthorised access to the personal data, such as: client ID, client code, first name and last name, personal identification number, date of birth, telephone number, e-mail, address (country, city, street), value of the debts associated to the client code of a number of 99,210 data subjects/clients. Thus, their invoice addresses have been introduced by error within the natural persons clients’ database, transmitted to a contractual partner based on an assignment agreements, which generated the shipping to wrong addressed of the notices sent to the clients.

Also, it was found that the controller did not take appropriate technical and organisational measures to ensure the security of the processing of personal data stored or transmitted against the unlawful storage, processing, access or disclosure, which led to the unauthorised access to the personal data from the Myaccount accounts (name of the account holder; date of birth; used telephone numbers; domicile address; subscriber code; contracted services; history of the simple invoices) for a number of 413 data subjects/Telekom România’s clients. We underline that the controller had the obligation to guarantee that the personal data can be accessed solely by the authorised persons, for the purposes mentioned by law, thus violating the provisions of Article 3 paragraph (1) and paragraph (3) letters a) and b) from Law no. 506/2004 regarding the processing of personal data and the protection of privacy in the electronic communications sector, amended and supplemented.

The provisions of Article 3 paragraph (1) and paragraph (3) letters a) and b) from Law no. 506/2004, amended and supplemented, provide the following:

”(1) The provider of a publicly electronic communications service must take appropriate technical and organizational measures to safeguard security of the personal data processing. If necessary, the provider of the publicly available electronic communications service shall take measures in conjunction with the provider of the public electronic communications network.

(3) Without prejudice to the provisions of Law no. 677/2001, with the subsequent amendments and supplementations, shall observe at least the following conditions:

a) to guarantee that the personal data can be accessed solely by authorized persons, for the purposes authorized by law;

b) to protect the personal data stored or transmitted against the accidental or unlawful destruction, against the loss or accidental damage and against the unlawful storage, processing, access or disclosure.”

Also, corrective measures consisting of the following were applied to the controller:

  • the review and update of the technical and organisational measures implemented following the evaluation regarding the risk to the rights and freedoms of persons, including the procedures for the electronic communications;
  • the implementation of a process for the periodic testing, evaluation and review of the efficiency of the technical and organisational measures in order to guarantee the security of the processing, according to the GDPR provisions.

 

In this context, we remind that Article V paragraph (2) from Law no. 129/2018 provides that ”all references to Law no. 677/2001, with the subsequent amendments and supplementations, from the normative acts shall be construed as reference to the General Data Protection Regulation and to the law for its implementation.”

 

Legal and Communication Department

ANSPDCP