After announcing the first GDPR fine on July 4th, 2019, the Romanian data protection authority notified its second fine, this time applicable for a data breach. In this regard, the Romanian DPA falls in line with the other data protection authorities in Europe that have made data security and the breach thereof one of their main enforcement topics after GDPR became applicable.
What we know?
On July 8th, 2019, the Romanian Authority for the Supervision of Personal Data Processing (the “Romanian DPA”) announced that it applied the second fine under GDPR:
- the sanctioning entity: an entity active in the hospitality sector, amongst others
- the deed: mishandling of clients’ personal data: the personal data was in paper format (list of clients having paid for breakfast), it got photographed by unauthorized persons and published online, hence affecting the data subjects’ right to privacy
- relevant details: the investigation was initiated after the controller had notified the personal data breach according to Article 33 of GDPR
- number of affected persons: 46
- amount of fine: EUR 15,000
GDPR provisions in question
The fine was applied for the breach of Article 32 para(4) of GDPR corroborated with Article 32 para.(2) and (3) of GDPR. Thus, the Romanian DPA held that the controller had failed to take steps to ensure that any natural person acting under its authority who had access to personal data does not process them except on instructions from the controller.
What does this GDPR fine indicate?
If the first GDPR fine was all about data minimization and privacy by design and by default, in announcing the second GDPR fine, the Romanian DPA looks to reinforce the need to both ensure personal data security and be able to demonstrate such measures.
In grounding its decision to apply the fine, the Romanian DPA again underlined the controller’s general obligation under Article 24 of GDPR to implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is GDPR compliant. These measures have to take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
One interesting detail is the Romanian DPA’s quoting Preamble (75) of GDPR, which emphasizes that “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage (…)”. Correlating this to the detail that clients’ data were posted online, one may infer that the damage considered by the DPA did not necessary relate to physical or material damages, but rather to non-material damage, such as the damages to right to privacy.
Another interesting detail is that the Romanian DPA became aware of the personal data breach as a result of the controller notifying it in accordance with Article 33 of GDPR. The number of such notifications in Romania is quite low by comparison with other EU member states (i.e., approx. 400 in the first year of GDPR). Under Romanian law, the DPA initiates an investigation after receiving each data breach notification. In many cases, the DPA closed such investigations without the application of fines. Instead, the DPA preferred to make use of warnings and/or corrective measures.
Nevertheless, with its first GDPR fine for data breach, the Romanian DPA has proved that it is willing to move beyond corrective measures when the context and details of the breach warrant such action. In doing so, it emphasized that organizational measures are as important as technical measures when it comes to data security.
Where do controllers stand after this fine?
If the first GDPR fine made controllers take a closer look to their data minimization actions, this second fine will for sure place an increased emphasis on the need to protect personal data and be able to demonstrate the efforts in this area. For entities in some sectors, this effort is anyway on the priority list as Romania is working on transposing the Network and Information Security (NIS) Directive. However, the DPA announcement should normally cause entities in all sectors to take a closer look to their organizational measures aimed at protecting personal data, in additional to the technical ones.