The main breaches of the Regulation (EU) No. 679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “GDPR” or the “Regulation”) committed by the Romanian data controllers (the “Controllers”) investigated and sanctioned by the National Supervisory Authority for Personal Data Processing (the “Supervisory Authority”) in 2023 may be summarized as follows:
- unauthorised access to personal data storage media (both traditional, such as physical files, and digital media – including through ransomware or phishing attacks), resulting in unauthorised access to such personal data and, in some cases, compromising its integrity;
- unlawful processing of personal data by means of (i) online or physical forms (including false online forms brought to the public’s attention as a result of a malware attack), (ii) tracking cookies installed on the user’s computer system without the user’s consent or without the possibility for the user to object to the installation thereof, or (iii) various technical devices (e.g., G.P.S., bodycam systems), without informing the data subjects in accordance with the provisions of the GDPR and without meeting the specific conditions under this Regulation regarding the lawfulness of data processing;
- unauthorised disclosure of personal data by Controllers or by individuals acting under their authority (e.g., employees) to third parties or even to the general public, without the consent of the data subjects, in situations such as: (i) the disclosure of recordings made via video surveillance systems, (ii) the display of personal data on a notice board, (iii) the publication of health data on a specialised blog, (iv) the transmission of personal data to public authorities (e.g., courts of justice) without any request from the concerned authorities, (v) the accidental transmission of personal data to a third party, or (vi) the accidental publication of personal data online (e.g., on websites or in folders which were accessible to website users, or as a result of updating software systems);
- infringement of the data subject’s right of access to his or her personal data in circumstances such as (i) refusing to make available to the data subject the telephone conversation with the Controller’s call centre or (ii) refusing to send a copy of a video recording to the data subject;
- the storage of personal data by the Controllers, without a legal basis, pursuant to the requests for erasure received from the data subjects, followed, in certain cases, by the processing of personal data for the purpose of sending advertising messages to the data subject (e.g., via SMS, e-mails, newsletter correspondence);
- incomplete responses to requests for information filed by data subjects (e.g., the categories of processed personal data, the purposes of processing, the recipients of personal data or the categories of recipients were not fully communicated);
- failure to notify the Supervisory Authority regarding security incidents within the time limit specified in the Regulation, i.e., not later than 72 hours after the Controllers became aware of the incidents;
- failure to comply with corrective measures ordered by the Supervisory Authority in a previously issued official report, which consisted of allowing the Supervisory Authority to access certain personal data and information necessary in order to carry out its control tasks.
For the breaches of the Regulation, the Controllers were sanctioned by the Supervisory Authority, both with warnings and fines ranging from EUR 200 to EUR 110,000 (i.e., the highest fine was applied to a controller, a company operating a gas station network in Romania for not taking specific measures ensuring that any natural person who acts under its authority and has access to personal data only processes it upon the controller’s request. Thus, during the investigation, the Supervisory Authority found that personal data belonging to the controller’s clients and introduced in the computer program owned by the controller were and repeatedly accessed without authorisation and disclosed for obtaining loans from non-banking financial companies on the clients’ behalf).
In addition, the Supervisory Authority frequently ordered the Controllers specific corrective measures to remedy the identified breaches.
Considering the GDPR provisions, as well as the sanctions and the corrective measures ordered by the Supervisory Authority in 2023, we present hereunder certain recommendations for preventing the repetition of such breaches of the Regulation:
- taking appropriate technical and organisational measures to prevent the risks associated with the processing of personal data, including the appropriate training of the Controller’s staff on the relevant legal provisions, in order to prevent the unauthorised disclosure, transmission or, where the case may be, access to personal data;
- Controllers should facilitate the exercise of the right of access by the data subjects and avoid the unlawful restriction of such right;
- ensuring the possibility for the Controllers to prove the erasure of personal data, in the event that its erasure has been requested by the data subjects and that there is no longer any basis for its processing, and no data processing in the absence of any legal basis;
- the transmission by the Controllers of complete responses to the requests for information filed by data subjects and making available to them the personal data that have been or are being processed, in accordance with the specific requirements of the GDPR;
- the use of invasive means of collecting personal data, such as video surveillance systems, G.P.S. or bodycams, only where other less invasive means would not be effective for the legitimate interest pursued by the Controller and only in compliance with all the requirements of the GDPR, including those relating to the obligation to inform data subjects regarding the personal data to be collected, as well as carrying out a data protection impact assessment;
- ensuring an adequate cooperation between Controllers and the Supervisory Authority, notifying the Supervisory Authority about security incidents within the legal deadline of 72 hours, carrying out any corrective measures ordered and facilitating the Supervisory Authority’s access to personal data and information, in accordance with the Regulation.
According to the information provided at the end of 2023 by the Supervisory Authority to mass-media, its investigations last on average from 12 to 18 months. The Supervisory Authority also stated that, as of 7 December 2023, it had completed a total of 460 investigations and that it had imposed fines amounting to approximately EUR 470,000 (i.e., more than double the fines imposed in the previous year).
Our law firm is prepared to offer assistance and guidance to persons interested in complying with the GDPR provisions at the highest professional standards.