Background information
- Date of final decision: July 2022.
- Controller: Enel Energie Muntenia S.A.
- Legal Reference: Security of processing (Article 32).
- Notification of a personal data breach to the supervisory authority (Article 33).
- Decision: Infringement of the GDPR, Corrective measures.
- Key words: Data breach, security of processing.
Summary of the Decision
Origin of the case
The investigation was started following some intimations submitted by a natural person that notified the fact that, after a phone request addressed to Enel Energie Muntenia S.A., he/she received from the address contacteem.ro@enel.com a response addressed to another client, natural person, accompanied by some documents that were able to be viewed on his/her e-mail address.
Key Findings
Within the investigation performed, it was found that the controller Enel Energie Muntenia S.A. did not present clear information regarding the reasons for which one of its employees sent by error the response of the claimant.
Also, the controller did not present proofs from which it results that it took remediation measures for the purpose of reducing the risk to which the personal data were subject and in order to further prevent the disclosure or illegal access of the personal data.
The controller did not present proofs regarding the notification of this incident to the Romanian Supervisory Authority (SA). Or, considering the circumstances of this case, described above, the security incident should have been notified based on Article 33 of the GDPR, within maximum 72 hours as of the date the controller Enel Energie Muntenia S.A. became aware of it.
Therefore, the controller Enel Energie Muntenia S.A. was sanctioned with a fine, given that it did not adopt sufficient security measures according to Article 32 of the GDPR, fact that led to the occurrence of a security incident through the provisions by e-mail of some documents containing visibly the personal data of a data subject to a third party, as well as with a reprimand given that it did not notify the Romanian SA for the Processing of Personal Data.
Decision
Following the investigation, the controller Enel Energie Muntenia S.A. was sanctioned with fine and reprimand, as it follows:
- fine in amount of lei 49,337 (the equivalent of EUR 10,000) for the breach of the provisions of Article 32 of the GDPR;
- reprimand for the breach of the provisions of Article 33 of the GDPR.
Also, based on Article 58 paragraph (2) letter d) of the GDPR, 3 corrective measures were imposed against the controller Enel Energie Muntenia S.A.:
- the corrective measure to ensure the compliance of the personal data processing activities with the GDPR, by implementing some technical and organisational measures adequate to the specific of the processing and of the risks identified, on the entire processing flow;
- the corrective measure to ensure the compliance of the personal data processing operations with the GDPR, by contacting the claimant (on his/her e-mail address), in order to request him/her to take erasure, destruction measures, as the case may be, of the personal information to which he/she had access following the receipt on the e-mail of the correspondence addressed to a third party;
- the corrective measure to ensure the compliance of the personal data processing operations with the GDPR, by adopting some internal measures for the reduction of the risks to which the personal data of the third party were exposed, in order to further prevent the illegal disclosure of access of his/her personal data.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.