On the 2nd of July 2019, the National Supervisory Authority finalised an investigation into controller WORLD TRADE CENTER BUCHAREST S.A. and found that the controller infringed the provisions of Article 32 (4) in relation to Article 32 (1) and (2) of the General Data Protection Regulation in respect of the security of processing.
The data controller, WORLD TRADE CENTER BUCHAREST S.A., was sanctioned to a fine of 71028 lei, the equivalent of 15,000 Euros.
The breach of personal data security consisted in the fact that a printed paper list used to check the customers attending breakfast and which contained personal data of 46 clients accommodated at the hotel belonging to WORLD TRADE CENTER BUCHAREST S.A. was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through publication.
The data controller, WORLD TRADE CENTER BUCHAREST S.A., has been sanctioned because it has not taken measures in order to ensure that its employees who have access to personal data process data only at its request, according to the law.
Also, the data controller did not implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of accidental or unlawful processing, in particular, of unauthorized disclosure or unauthorized access to personal data. This has led to unauthorized access to the personal data of 46 clients of WORLD TRADE CENTER BUCHAREST SA and unauthorized disclosure of these data in the on-line environment, which has led to the violation of right to privacy and right to the protection of personal data, guaranteed by Article 7 and Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union.
The National Supervisory Authority performed the investigation following the notification of a personal data breach received from WORLD TRADE CENTER BUCHAREST S.A., by filling out the form concerning the personal data breach provided by Article 33 of GDPR.
The General Regulation on Data Protection establishes, by art. 24, the principle of responsibility of data controller, according to which: “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
Moreover, Recital (75) of GDPR states that:
“The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.”
Read the full press release in Romanian here
For further information, please contact the Romanian Supervisory Authority: firstname.lastname@example.org
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.