Romanian Supervisory Authority's fine of 9,544.40 lei (EUR 2,000) against Telekom Romania Mobile Communications SA

25 November 2019

The National Supervisory Authority finalised on the 25th of November 2019 an investigation at the controller Telekom Romania Mobile Communications SA, ascertaining the following:
the infringement of provisions of Article 32 paragraph (1) letter b) and Article 32 paragraph (2) of Regulation (EU) 2016/679;
the infringement of Article 5 paragraph (1) letter d) of Regulation (EU) 2016/679.
The controller Telekom Romania Mobile Communications SA was sanctioned with a reprimand for the breach of provisions of Article 32 paragraph (1) letter b) and Article 32 paragraph (2) of Regulation (EU) 2016/679 and with a fine in the amount of 9544.40 lei, equivalent to the amount of 2000 euros for the violation of Article 5 paragraph (1) letter d) of Regulation (EU) 2016/679.
The sanctions were applied as a result of a complaint claiming that the petitioner receives at his/her home address invoices addressed to another person, the client of the controller, as well as the fact that he/she informed the controller of this situation, but he/she did not receive an answer.
Within the investigation, Telekom Romania Mobile Communications SA could not prove the accuracy of the data processed, which led to the violation of the basic principle for data processing provided by Article 5 paragraph (1) letter d) of the GDPR.
Thus, according to Article 5 paragraph (1) letter d) of Regulation (EU) 2016/679, “personal data are:
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).”
Also, it was found that the controller did not take appropriate technical and organisational measures to ensure the confidentiality of personal data, which led to the disclosure of the personal data of a client of the controller by sending invoices issued on behalf of that client to another customer.

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.