On 16 March 2023, the Romanian DPA announced two sanctions of EUR 1,000, respectively EUR 3,000, applied to controllers in the medical field for failure to ensure the security of processing.
Both investigations were started following the receipt of the notifications submitted by the data subjects who claimed a possible violation of GDPR.
During the first investigation, the Romanian DPA established that the controller sent a message using the phone number of a private individual via the WhatsApp application, containing the medical test results that belonged to the other two data subjects.
The Romanian DPA decided that the unauthorized disclosure of and access to certain personal data (i.e., name and surname, personal numerical code – “CNP” in Romanian, telephone number, and medical test result) occurred because the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the processing risk.
Parallel to the EUR 1,000 fine, the controller was also required to review and update the technical and organizational measures implemented following a risk assessment, as well as the working procedures relating to the protection of personal data. In addition, the Romanian DPA decided that the controller shall implement a register of data breaches to include a description of the factual situation, the effects, and the remedial measures taken.
During the second investigation related to another medical center, it was found that a patient received, by e-mail, in addition to his investigation bulletin, a series of attached files containing the results of investigations belonging to five other patients. The attached documents contained the name, surname, date of birth, date of examination, the reason for the examination, the result of the investigation (examination), diagnosis, and conclusions resulting from the medical examination.
The Romanian DPA concluded that the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the processing risk, including measures to ensure that any natural person who acts under the authority of the controller and who has access to personal data processes them only at the request of the said controller.
Corrective measures were also applied, the controller being ordered to review and update the technical and organizational measures following the risk assessment of the rights and freedoms of natural persons, including working procedures ensuring the protection of personal data, as well as the implementation of a procedure for notification of personal data breaches.
The press release is available here (only in Romanian).