On 11/Feb/2020, Vodafone România SA received a privacy fine of EUR 3,000. The enforcement authority (Romanian National Supervisory Authority for Personal Data Processing) has cited these legal provisions in imposing the fine on Vodafone România SA: Article 5 GDPR/GDPR/
|Date of enforcement action:|
|Romania||EUR 3,000 (US$3,200)|
|Defendant company or entity:||Industry segment:|
|Vodafone România SA||Telecoms /|
On the 11th of February 2020, the National Supervisory Authority finalised an investigation at the controller Vodafone România SA and found that it infringed the principles relating to the processing of personal data established in Article 5 paragraph (1) letters d) and f) in conjunction with Article 5 paragraph (2) of General Data Protection Regulation.
The controller Vodafone România SA was sanctioned with a fine of 14,308.8 lei, the equivalent of 3,000 euros.
The sanction was imposed as the controller mistakenly processed personal data of a natural person in order to handle his/her complaint, which subsequently determined the transmission of the controller’s response to an incorrect e-mail address, not having taken sufficient security measures against the illegal processing of personal data belonging to that person, in violation of the principles relating to the processing provided by Article 5 paragraph (1) letters d) and f) corroborated with Article 5 paragraph (2) of General Data Protection Regulation.
At the same time, a corrective measure was imposed to the controller Vodafone România SA pursuant to the provisions of Article 58 paragraph (2) letter d) of General Data Protection Regulation.
Thus, the controller was obliged to ensure compliance of the operations for the collection and subsequently processing of personal data with the General Data Protection Regulation, by implementing efficient methods of respecting the accuracy of the data, including in the case of data collection, such as the e-mail address. In this respect, it was ordered to implement, within 30 days from the date of communication of the minutes of sanction, adequate and efficient security measures from a technical and organisational point of view, including through regular training of persons processing data under the authority of the controller.
In this context, we highlight the provisions of Article 5 paragraph (1) of General Data Protection Regulation which states that “personal data shall be:
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical o organisation measures (“integrity and confidentiality”).”
Also, Article 5 paragraph (2) of the Regulation provides that “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph (1) (“accountability”).
This case is one instance of transmitting data, relating to a complaint, to the wrong email address. The company had therefore failed to keep the information on file accurate, and had then engaged in processing outside the bounds of its authority by error (in sending material to the wrong email address). On one view, it could be considered a data breach – however the case only involved one individual.
|Enforcement authority:||Type of enforcement action:|
|Romanian National Supervisory Authority for Personal Data Processing||Penalty notice|
|Subject to appeal?|
Cite this fine in your work
Data Privacy Fines Index. (2020-02-11 09:50) Vodafone România SA fined EUR 3,000. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/vodafone-romania-sa-fined-eur-3000/
Entry last updated: 2020-04-28 10:11 GMT.