Clifford Chance

In July, the Romanian Data Protection Authority (the ANSPDCP) announced the application of the first fines for the breach of the Regulation (EU) no. 2016/679 on the protectionof natural persons regarding the processing of personal data and on the free movement of such data (the GDPR) against UniCredit Bank, World Trade Centre Bucharest and LegalCompany & Tax Hub, the owner of the "Avocatoo" legal blog

Background

On 4 July 2019, ANSPDCP announced the application of the first fine for GDPR breaches against UniCredit Bank, having the value of EUR 130,000. Two other fines followed shortly: on 8 July 2019 ANSPDCP announced the application of a fine against World Trade Centre Bucharest, of EUR 15,000, and on 12 July 2019 announced the application of a fine against Legal Company & Tax Hub, of EUR 3,000.

These are the first sanctioning measures through which ANSPDCP publicly shows its commitment to ensure the correct application of GDPR for both small and large sized companies. This sends the message that all companies, regardless of their size or sector, must address and mitigate risks related to processing of personal data.

Two of the sanctions, applied to UniCredit Bank and, respectively to Legal Company & Tax Hub, are the result of complaints submitted with ANSPDCP by data subjects, while World Trade Centre Bucharest has been sanctioned following its own submission of a data breach notification whereby it informed the ANSPDCP on the incident.

Fines Applied for GDPR Breaches

UniCredit Bank

On 27 June 2019, ANSPDCP applied to UniCredit Bank SA, a Romanian credit institution, - a fine of RON 613,912 (approximately EUR 130,000) for breach of article 25 (1) of GDPR.

ANSPDCP found that the personal data of individuals making on-line payments to UniCredit Bank SA, such as the personal identification number or the address, were made available to the beneficiaries of such payments. ANSPDCP ascertained that the controller failed to implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

This breach affected more than 350,000 individuals making payments to UniCredit Bank SA between 25 May and 10 December 2018.

World Trade Centre Bucharest

On 2 July 2019, ANSPDCP applied a fine of RON 71,028 (approximately EUR 15,000) to World Trade Centre Bucharest SA, a controller activating in the hotel industry, – for breach of articles 32 (4) and 32 (1) and (2) of the GDPR regarding the security of personal data processing.

ANSPDCP found that a printed document containing a list of clients accommodated in a hotel owned by the company, which included certain personal data, was photographed by unauthorised persons outside the company. The list including the personal data of the clients was subsequently published on-line. ANSPDCP found that the company did not take appropriate measures to ensure that the employees who have access to personal data are processing it only within the limits and with the observance of the law. ANSPDCP also ascertained that the company did not implement adequate technical and organisational measures to ensure a proper mitigation of the risk associated with the accidental or illegal unauthorised disclosure or unauthorised access to personal data.

This breach affected a number of 46 clients of the respective hotel, whose personal data have been disseminated on-line by an employee of the sanctioned entity.

This incident shows that controllers are expected to take measures to show their accountability for breaches of the GDPR and that this does not mean that they are protected of sanctions from the ANSPDCP irrespective of the number of individuals affected by the breach or whether concrete damages are ascertained. Whether the controller providing the information to ANSPDCP was recognized as a mitigating factor is still to be seen when further details on the sanctioning will become available.

Legal Company & Tax Hub

On 5 July 2019, ANSPDCP applied a fine of RON 14,173.50 (approximately EUR 3,000) to a company operating a legal blog – Legal Company & Tax Hub – for breaches of art. 32 (1) and (2) of GDPR.

ANSPDCP found that the company failed to implement adequate technical and organisational measures, which lead to the unauthorised disclosure and unauthorised access to personal data of persons who completed transactions registered on the avocatoo.ro website. Such personal data included name, address, e-mail, phone number, workplace, the details of the completed transactions, and it was available on-line for approximately a month and a half, between December 2018 and February 2019. ANSPDCP found that the company had the obligation to ensure that the data processing is performed in an adequate manner and must take adequate technical and organisational measures, including the protection against unauthorised or illegal personal data processing and loss, destruction or accidental deterioration of personal data.

The number of individuals affected by this breach is not specified in the information made public by the ANSPDCP.

So far GDPR fines are mostly related to failure to implement adequate technical and organisational measures

As seen from the very brief information made public by ANSPDCP regarding the first fines applied for breach of the GDPR in Romania, it seems that most of the breaches refer to various failures to implement technical and organisational measures as to ensure protection of the data processing operations, either as part of data protection by default or by design or as safeguarding instruments in the data processing operations. Also training of employees involved in data processing operations seems to have been treated rather lightly by the data controllers as opposed to the increased requirements stemming from the application of the GDPR as of 25 May 2018.

Right to appeal the fines applied by ANSPDCP

The companies have the right to appeal the decision imposing the fine before a court of law within 15 days as of the communication of the decision to the company. The appeal will suspend the obligation to pay the fine until the competent court has reached a final decision. If the company does not lodge an appeal against a decision, it must pay the fine within 15 days as of the communication of the decision imposing the fine.

Key take-away points

• First GDPR Fines in Romania: ANSPDCP applied the first fines for GDPR breaches against three companies having different sizes and activating in different sectors. The fines range between EUR 3,000 to EUR 130,000.
• Fines are mainly related to failure to implement technical and organisational measures: most of the breaches sanctioned by ANSPDCP refer to a failure to implement technical and organisational measures either as privacy by design or by default or as an instrument to ensure protection of the data during the processing operations.
• Appeals: the companies can appeal the decisions of the ANSPDCP before the competent court of law and appeals suspend the obligation to pay the applied fine.

Andreia Moraru, Trainee Lawyer, contributed to the writing of this article