The National Supervisory Authority for Personal Data Processing ('ANSPDCP') announced, on 11 November 2021, its decision to fine Vodafone Romania SA RON 14,421.25 (approx. €2,914), for violations of Articles 32(1)(b) and 32(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and Articles 3(1), (3)(a), and 3(b) of Law No. 506/2004 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, following an investigation initiated by several notifications of personal data breaches by Vodafone to the ANSPDCP.  

Background to the case

In particular, the ANSPDCP noted that an investigation was initiated by the ANSPDCP following several data breach notifications it had received from Vodafone. In addition, the ANSPDCP noted that the breaches in question led to the unauthorised disclosure and/or unauthorised access to the personal data of six individuals between 16 November 2020 and 18 May 2021.

Findings of the ANSPDCP

Moreover, the ANSPDCP noted that with regard to security breaches, the ANSPDCP found that Vodafone did not implement adequate technical and organisational measures to ensure the security of personal data processing, to ensure that personal data can be accessed only by persons authorised for the purposes authorised by law, and protect personal data stored or transmitted against unlawful processing, access, or disclosure.

Outcomes

Finally, the ANSPDCP imposed a fine of RON 7,421.25 (approx. €1,114) for the violation of Articles 32(1)(b) and 32(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and RON 7,000 (approx. €1,500) for the violation of Articles 3(1), (3)(a), and 3(b) of Law No. 506/2004.

You can read the press release, only available in Romanian, here.