Home » Comunicat_Presa_19_09_2022_1
 Română | English | Francais

19.09.2022

A new sanction for the infringement of GDPR

 

The National Supervisory Authority finalized an investigation at the controller Vodafone Romania SA and found the breach of the provisions of Article 29 and Article 37 paragraph (1) letter b), paragraph (2) and paragraph (4) of the General Data Protection Regulation.

The controller Vodafone Romania SA was sanctioned with fine in amount of Lei 9,890.8 (the equivalent of EUR 2,000).

Within the investigation it was found that the controller Vodafone Romania SA did not verify the observance of the identification procedure of the person calling by its processors which allowed some third parties to procure fraudulently new phones on behalf of some clients of the controller.

Also, this situation allowed the third parties the accessing of the data from the contracts concluded by clients with the controller and of the data from the personal accounts My Vodafone, such as: first name, last name, address, personal identification number, contact telephone number, PUK code, contact number of the owner, SIM series of the initial card, value of the last unpaid invoice and the data traffic.

Also, the National Supervisory Authority found that Vodafone Romania SA did not adopt sufficient measures to ensure that any natural person acting under the authority of the controller and that has access to the personal data processes them only at the request of the controller and did not implement adequate technical and organizational measures in order to ensure a level of confidentiality and security corresponding to the risk of the processing.

Therefore, the controller Vodafone Romania SA was sanctioned with fine for the breach of the provisions of Article 29 and Article 32 paragraph (1) letter b) and paragraph (2) of the General Data Protection Regulation.

 

Legal and Communication Department

A.N.S.P.D.C.P.