Author: Iurie Cojocaru, Oxana Gorgan
Romanian DPA case studies – our top 5 picks
1. Refusal to provide the contractual clauses which represent the safeguard for the data transfer to a third country
Case study: A data subject complained about the refusal of a financial banking institution to provide him with a copy of the personal data protection clauses relating to the transfer of his personal data to a third country. In its reply to his request, the financial banking institution invoked the confidential nature of a number of clauses in the contract governing the data transfer as grounds for its refusal. The Romanian DPA considered that the controller has an obligation to provide data subjects with a copy of the personal data protection contractual clauses on which the data transfer to a third country relies, so that the confidential clauses from such an agreement cannot justify the refusal. (pages 102-103 of the Report)
Why it is important: A controller cannot rely on the confidentiality of the contractual clauses in justifying a refusal of the request to provide the contractual clauses which represent the safeguard for the data transfer to a third country. In fact, one of the elements which the controllers must include in their privacy notices is the safeguards (e.g., standard contractual clauses) on which such data transfers rely, as well as the modalities in which a copy thereof may be obtained.
2. Training materials of the controller provided to its processors
Case study: A data subject complained about the publishing of his image on social media by a gas station (acting as data processor). During the investigation, the controller has proven that it adopted the adequate security measures and carried out repeated training. Such measures and training sessions included the operating conditions of the video surveillance systems installed in its stations, also referring to the processor’s representative managing the gas station. However, the data processor was not able to prove that its employees participated in the training sessions carried out, nor that it provided them with all the information and training materials presented by the controller to the gas station manager. The Romanian DPA concluded that the processor did not take sufficient technical and organizational measures to ensure the confidentiality of the data, particularly as regards the training of its employees on their obligations in the context of data processing, on the modality in which the right of access requests to video records must be treated, as well as on the procedure of dealing with data breaches. (pages 123-124 of the Report)
Why it is important: In ensuring the security of data processing, it is a good practice for the controller to (i) ensure the data protection-related training of the processors’ representatives and (ii) instruct such processors to train their own employees using the data protection-related materials from the controller.
3. Disclosure of personal data without prior anonymization
Case study: A higher education institution disclosed the personal data of a student (the complainant) by forwarding it to the student representative of the year, who subsequently made it public by posting it on a Whatsapp group used by 43 members. During the investigation, the Romanian DPA found that the information could have been shared among members of the group without making public the identification data of the complainant. Thus, due to the fact that the disclosure of information was done without anonymizing the data, the Romanian DPA concluded that the institution unlawfully disclosed the complainant’s personal data, without her prior information, without ensuring an adequate legal ground and in breach of its obligations of confidentiality. (page 98 of the Report)
Why it is important: Prior to disclosing information that includes personal data, the controllers must assess whether sharing that personal data is indispensable. If proven that sharing that personal data is not necessary, it needs to be anonymized before the disclosure takes place.
4. Unauthorized access of data by a company employee
Case study: A banking institution filed a data breach notification consisting in the unauthorized access to personal data in the customer database by an employee of such institution. The unauthorized access occurred due to the improper use by such employee of the access rights granted to him for the performance of his duties. The Romanian DPA imposed a EUR 20,000 fine after concluding that the controller had not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk presented by the data processing. (pages 76-77 of the Report)
Why it is important: It is important to keep in mind that the unauthorized access to personal data qualifying as a data breach does not necessarily need to have an external source but can also come from inside your organization. Moreover, the data breach may still present risk, being thus notifiable to the Romanian DPA, even if only one employee had unlawful access to such data.
5. Disclosure of employee data following the handover of equipment for disposal
Case study: A complainant reported the disclosure by a company of data concerning its employees, available on the computer he received in order to perform a scrapping operation. This computer had been assigned by such company to the complainant without signing a handing-over protocol. The company also was not able to prove that, prior to the handover of the equipment to the complainant, an operation to check and delete documents from the computer’s central unit had been carried out. Moreover, the complainant was able to access files on the computer’s central drive as they were not password-protected. In addition, the company did not contact the complainant after the handover in order to request the deletion/destruction of the information comprising personal data to which the complainant had access. Thus, the Romanian DPA concluded that the controller has not taken sufficient technical and organizational security measures to ensure the confidentiality of the personal data of its (former) employees. (pages 109-110 of the Report)
Why it is important: There are certain formalities that need to be fulfilled prior to handing over equipment that contains personal data, such as signing a handing-over protocol and file deletion. Even if such equipment is already provided and personal data unlawfully accessed, the entity must still contact the recipient requesting the deletion/destruction of the personal data to which the latter had unlawful access.
Statistics on complaints, notices (Romanian: sesizări) and data breach notifications received by the authority
- 3,899 complaints received (as compared to 4634 complaints in 2021);
- based on them, 281 investigations were opened (as compared to 319 investigations in 2021), resulting in:
25 fines totally amounting to RON 253,382.28 (equivalent of EUR 51,300) (in 2021, there were 15 fines applied, out of which 14 based on GDPR, totally amounting to RON 141,530.1 (the equivalent of EUR 28,481) and 1 fine based on Law 506/2004 totally amounting to RON 10,000 – approx. EUR 2,000);
90 reprimands (as compared to 71 reprimands in 2021);
60 corrective measures (as compared to 40 corrective measures in 2021);
- 198 notices and 155 data breach notifications received (as compared to 171 notices and 201 data breach notifications in 2021);
- based on them, 314 investigations were opened (as compared to 372 investigations in 2021), resulting in:
44 fines totally amounting to EUR 160,090 (as compared to 21 fines in 2021 totally amounting to EUR 46,750);
44 reprimands (as compared to 22 reprimands in 2021);
33 corrective measures (as compared to 16 corrective measures in 2021);
- in total: 4,260 complaints, notices and data breach notifications received (as compared to 5,006 in 2021);
- based on them, 629 investigations were opened (as compared to 691 investigations in 2021), resulting in:
69 fines totally amounting to RON 1,058,863 – approx. EUR 213,122 (as compared to 36 fines in 2021, totally amounting to 371,131.95 – approx. EUR 74,700);
134 reprimands (as compared to 93 reprimands in 2021);
93 corrective measures (as compared to 56 corrective measures in 2021).
2. The most frequent cases of complaints
- Processing of data with a wrong legal ground or without legal ground;
- Violation of rights of data subjects, especially the right of access and right to erasure;
- Violation of security measures and confidentiality rules;
3. The most frequent cases of notified data breaches
- Confidentiality/availability/integrity of data affected as a result of the unauthorized disclosure;
- Unlawful access to video monitoring systems (CCTV);
- Disclosure of data on the internet;
- Disclosure of data in the healthcare system;
- Unlawful access to personal data of clients from the banking system.
4. The most frequent cases of notices
- Breach of the GDPR principles;
- Disclosure of personal data without the consent of the data subject;
- Disclosure of personal data online, in particular on social networks;
- Processing of personal data through the video monitoring systems;
- Violation of security measures and confidentiality rules, especially by failure to adapt technical and administrative organizational measures to ensure the security of processing;
- 948 requests received for points of view on matters related to the protection of personal data (as compared to 941 requests in 2021);
- 107 legislative drafts on which the Romanian DPA issued its notice (as compared to 68 legislative drafts in 2021);
- 30 cases pending before the Court of Justice of the European Union in which the Romanian DPA has issued its opinion (as compared to 26 cases in 2021);
- 108 files pending in court dealt by the Romanian DPA (as compared to 152 files in 2021), out of which:
40 new claims (as compared to 25 new claims in 2021);
22 claims against acknowledging/sanctioning minutes of the Romanian DPA (in 2021, from 22 new claims, 6 were against such minutes);
- 26 preliminary complaints received by the Romanian DPA from persons unsatisfied with the answer of this authority; in the context of the administrative dispute resolution procedure; 6 of such preliminary complaints were accepted (in 2021, 15 preliminary complaints were received and 8 were accepted);
- 34 multinational companies made requests analyzed by the Romanian DPA for the approval of binding corporate rules – BCRs (as compared to 40 companies in 2021).