08.06.2022
Fine for the breach of GDPR
The National Supervisory Authority finalized in May 2022 an investigation at the company Wens Experience SRL and found the breach of the provisions of Article 28 paragraph (2) of the General Data Protection Regulation. The company Wens Experience SRL, as processor of a controller, was sanctioned with fine in amount of Lei 7,418.55 (the equivalent of EUR 1,500).
The investigation was started following the submission by the controller involved of a personal data security breach notification by its processor based on the General Data Protection Regulation.
Within the investigation it was found that the processor Wens Experience SRL recruited another processor for the processing of the personal data of the controller’s employees without priorly receiving a general or specific written authorization from the controller, thus breaching the provisions of Article 28 paragraph (2) of the GDPR.
We mention that, according to Article 28 paragraph (2) of the GDPR, “The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.”
Legal and Communication Department
ANSPDCP