The National Supervisory Authority finalised on the 25th of November 2019 an investigation at the controller Telekom Romania Mobile Communications SA, ascertaining the following:
the infringement of provisions of Article 32 paragraph (1) letter b) and Article 32 paragraph (2) of Regulation (EU) 2016/679;
the infringement of Article 5 paragraph (1) letter d) of Regulation (EU) 2016/679.
The controller Telekom Romania Mobile Communications SA was sanctioned with a reprimand for the breach of provisions of Article 32 paragraph (1) letter b) and Article 32 paragraph (2) of Regulation (EU) 2016/679 and with a fine in the amount of 9544.40 lei, equivalent to the amount of 2000 euros for the violation of Article 5 paragraph (1) letter d) of Regulation (EU) 2016/679.
The sanctions were applied as a result of a complaint claiming that the petitioner receives at his/her home address invoices addressed to another person, the client of the controller, as well as the fact that he/she informed the controller of this situation, but he/she did not receive an answer.
Within the investigation, Telekom Romania Mobile Communications SA could not prove the accuracy of the data processed, which led to the violation of the basic principle for data processing provided by Article 5 paragraph (1) letter d) of the GDPR.
Thus, according to Article 5 paragraph (1) letter d) of Regulation (EU) 2016/679, “personal data are:
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).”
Also, it was found that the controller did not take appropriate technical and organisational measures to ensure the confidentiality of personal data, which led to the disclosure of the personal data of a client of the controller by sending invoices issued on behalf of that client to another customer.
For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro