Vodafone România SA fined EUR 3,000

On 11/Feb/2020, Vodafone România SA received a privacy fine of EUR 3,000. The enforcement authority (Romanian National Supervisory Authority for Personal Data Processing) has cited these legal provisions in imposing the fine on Vodafone România SA: Article 5 GDPR/GDPR/

Essentials

Date of enforcement action:
11/Feb/2020
Jurisdiction: Fine imposed:
Romania Flag for Romania, which is the jurisdiction taking enforcement action EUR 3,000 (US$3,200)
Defendant company or entity: Industry segment:
Vodafone România SA Telecoms /

Case summary

On the 11th of February 2020, the National Supervisory Authority finalised an investigation at the controller Vodafone România SA and found that it infringed the principles relating to the processing of personal data established in Article 5 paragraph (1) letters d) and f) in conjunction with Article 5 paragraph (2) of General Data Protection Regulation.

The controller Vodafone România SA was sanctioned with a fine of 14,308.8 lei, the equivalent of 3,000 euros.

The sanction was imposed as the controller mistakenly processed personal data of a natural person in order to handle his/her complaint, which subsequently determined the transmission of the controller’s response to an incorrect e-mail address, not having taken sufficient security measures against the illegal processing of personal data belonging to that person, in violation of the principles relating to the processing provided by Article 5 paragraph (1) letters d) and f) corroborated with Article 5 paragraph (2) of General Data Protection Regulation.

At the same time, a corrective measure was imposed to the controller Vodafone România SA pursuant to the provisions of Article 58 paragraph (2) letter d) of General Data Protection Regulation.

Thus, the controller was obliged to ensure compliance of the operations for the collection and subsequently processing of personal data with the General Data Protection Regulation, by implementing efficient methods of respecting the accuracy of the data, including in the case of data collection, such as the e-mail address. In this respect, it was ordered to implement, within 30 days from the date of communication of the minutes of sanction, adequate and efficient security measures from a technical and organisational point of view, including through regular training of persons processing data under the authority of the controller.

In this context, we highlight the provisions of Article 5 paragraph (1) of General Data Protection Regulation which states that “personal data shall be:

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical o organisation measures (“integrity and confidentiality”).”

Also, Article 5 paragraph (2) of the Regulation provides that “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph (1) (“accountability”).

(Romanian DPA)

Commentary

This case is one instance of transmitting data, relating to a complaint, to the wrong email address. The company had therefore failed to keep the information on file accurate, and had then engaged in processing outside the bounds of its authority by error (in sending material to the wrong email address). On one view, it could be considered a data breach – however the case only involved one individual.

Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Romanian National Supervisory Authority for Personal Data Processing Flag for Romania, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
Yes

Cite this fine in your work

Data Privacy Fines Index. (2020-02-11 09:50) Vodafone România SA fined EUR 3,000. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/vodafone-romania-sa-fined-eur-3000/

Entry last updated: 2020-04-28 10:11 GMT.