On the 10th of December 2019, National Supervisory Authority finalised an investigation at the controller Hora Credit IFN S.A. and ascertained the infringement of certain provisions of General Data Protection Regulation (GDPR).
The controller was sanctioned as follows:
for the contravention found pursuant to Article 12 of Law no. 190/2018, by reference to the dispositions mentioned in Article 83 paragraph (5) letter a) of GDPR – fine in the amount of 14336.1 lei, the equivalent of 3000 euros;
for the contravention found pursuant to Article 12 of Law no. 190/2018, by reference to the dispositions mentioned in Article 83 paragraph (4) letter a) of GDPR – fine in the amount of 47787 lei, the equivalent of 10000 euros;
for the contravention found pursuant to Article 12 of Law no. 190/2018, by reference to the dispositions of Article 83 paragraph (4) letter a) of GDPR (by reference to Article 33 paragraph (1) of GDPF) – fine in the amount of 4778.7 lei, the equivalent of 1000 euros.
The sanctions were imposed as a result of a complaint alleging that Hora Credit IFN SA sent documents containing the personal data of another person to the e-mail address.
Although this error was reported to both the controller and its call center, Hora Credit IFN SA did not remedy this issue, still transmitting messages to the e-mail address.
Following the investigation it was found that Hora Credit IFN SA processed the data without proving the application of effective mechanisms for verifying and validating the accuracy of the data collected and subsequently processed, respectively, to maintain their confidentiality, according to the principles set out in Article 5 of the GDPR.
It was also found that the controller did not take sufficient security measures for personal data, according to Articles 25 and 32 of the GDPR, so as to avoid the unauthorised and accessible disclosure of personal data to third parties.
At the same time, Hora Credit IFN SA did not notify the Supervisory Authority with regard to the security incident that was brought to its notice, according to Article 33 of the GDPR, within 72 hours from the date it became aware of it.
At the same time, the following corrective measures were applied to the controller:
corrective measure to ensure compliance with the GDPR of the operations for the collection and further processing of personal data for the purpose of concluding and executing the loan agreements, in particular, in terms of verifying the collected personal data, such as the e-mail address, which allow remote communication of the personal data, by implementing effective methods for validating the accuracy of the data – within 30 days from the date of communication of the contravention report (Article 58 paragraph (2) letter d) of the GDPR);
corrective measure to ensure compliance with the GDPR of the operations for the processing of personal data for the purpose of concluding and executing the loan agreements, in terms of respecting the professional secrecy and the confidentiality of personal data of its clients, in particular, in the case of remotely sending documents and messages containing personal data (e.g. by electronic mail), by implementing appropriate and efficient security measures, both from a technical point of view (such as encryption) and from an organisational point of view, by training the persons who process data under its authority, in order to identify and limit immediately the risks that may affect the data subjects – within 30 days from the date of communication of the contravention report (Article 58 paragraph (2) letter d) of the GDPR);
corrective measure to ensure compliance with the GDPR of the operations for the processing of personal data for the purpose of implementing an adequate internal policy for identifying and analysing the risks and notification of the ANSPDCP in case of a security breach, under the conditions provided by Article 33 paragraph (1) of the GDPR – within 30 days from the date of communication of the contravention report (Article 58 paragraph (2) letter d) of the GDPR).
For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro