On 6 December 2021, the Romanian DPA announced two fines imposed against a major telecommunication company for failure to comply with several data protection requirements. Additionally, the DPA imposed corrective measures against the same controller.
One fine amounted to EUR 5,000 and was imposed for failure to comply with accuracy, integrity and confidentiality, as well as accountability principles. The other fine amounted to EUR 1,000 and was imposed for not responding to an affected data subject’s erasure request.
The investigation was launched following the receipt of a complaint from a data subject who has received another individual’s invoices and notifications via e-mail. During the investigation, the DPA concluded that the telecommunication company had collected and processed inaccurate personal data, leading to unlawful disclosure of an individual’s data. Moreover, the DPA found that the controller failed to erase an individual’s personal data, as requested under Article 17 of the GDPR.
Moreover, the Romanian DPA imposed corrective measures ordering the controller to implement efficient technical and organizational measures (i) to ensure data accuracy, and (ii) to manage data subjects’ rights to rectification and erasure, including ensuring record-keeping of such requests and training for the individuals involved in the data processing.
The press release is available here (only in Romanian).