Romanian SA fines UiPath SRL for breaching Articles 25 and 32 GDPR

Background information

• Date of decision: 18 July 2023
• Cross-border case or national case: Cross-border case
• LSA: Romania
• CSAs: Germany – Lower Saxony Land, Italy, Ireland, Slovenia, Belgium, Norway, Estonia, Austria, Netherlands, Finland, Sweden, Luxembourg, Spain, Bulgaria, Germany – Hessen land, France and Denmark
• Controller: UiPath SRL
• Legal references: Article 25 (Data protection by design and by default), Article 32 (Security of processing)
• Decision: Administrative fine,  Compliance order
• Key words: Data protection by design and by default, Personal data breach, Data security

Summary of the Decision

Origin of the case

The investigation was started as a result of the transmission by the controller of personal data breach notification under the General Data Protection Regulation.

Thus, Uipath SRL notified a violation of the confidentiality of personal data, consisting in the publication of the personal data of a significant number of users of the Academy Platform on a website accessible at a URL address.

Key Findings

During the investigation, the Romanian National Supervisory Authority for the Processing of Personal Data found that Uipath SRL did not implement adequate technical and organisational measures to ensure that, by default, personal data cannot be accessed, without the intervention of a person, or an unlimited number of people, including the ability to ensure the ongoing confidentiality and resilience of processing systems and services, as well as a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

This fact led to the unauthorised disclosure and access to personal data (user name and surname, the unique identifier of each user, e-mail address, the name of the company where the user is employed, the country and details of the level of knowledge obtained in within the UiPath ACADEMY courses) of about 600,000 users of the Academy Platform belonging to the controller UiPath, for a period of about 10 days.

The Romanian National Supervisory Authority for the Processing of Personal Data considered that this violation of the processing of personal data is likely to bring physical, material or moral harm to the data subjects, such as the loss of control over their personal data or the loss of data confidentiality personal.

Following the investigation, the Romanian National Supervisory Authority informed the other supervisory authorities involved, following Article 60 of Regulation (EU) 2016/679, regarding the conclusions resulting from the investigations carried out in this case with cross-border impact and, as well as, the proposed measures.

The Romanian National Supervisory Authority considered that Uipath SRL carried out cross-border processing,  and that the provisions of Article 60 of Regulation (EU) 679/2016, as well as those of Article 16 (3), (5), (6) and (7) of Law no. 102/2005, republished, which provides for the application of sanctions/corrective measures by decision of the president of ANSPDCP, were applicable.

Decision

The controller Uipath SRL was sanctioned with a fine of 346,598 lei, the equivalent of 70,000 EURO.

At the same time, pursuant to Article 58 (2) d) of Regulation (EU) 2016/679, the Supervisory Authority ordered the corrective measure against the controller to implement a procedure at regular time intervals, regarding the regular testing, assessing and evaluating the of the effectiveness of the adopted measures, taking into account the risk presented by the processing, in order to ensure an appropriate level of security and to avoid similar security incidents in the future.

For further information:

• Link to decision in national language