Home » Comunicat_presa_06_02_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

06.02.2025

Sanction for the infringement of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the controller Omniasig Vienna Insurance Group S.A. and found the breach of Article 32 paragraph (4) in conjunction with Article 32 paragraphs (1) and (2) of Regulation (EU) 2016/679.

For the committed act, the controller was fined with 14,931 lei (the equivalent of 3,000 euros).

The investigation was launched as a result of a data breach notification submitted by the controller Omniasig Vienna Insurance Group S.A., pursuant to the provisions of Article 33 of Regulation (EU) 2016/679.

Thus, the controller notified the fact that an employee of a processor (legal entity) with whom it cooperates, collected undue amount by filling in compensation claims for non-existent events, using the identity of clients, insured natural persons.

During the investigation, it was found that the employee of the processor, who had access to the controller’s claims files, accessed personal data without authorisation, such as: name, surname, home address, person’s image, personal identification number, ID number and series, medical data, financial data of the data subjects.

In this context, the security breach occurred as a result of unauthorised access over a period of time to personal data belonging to a significant number of data subjects.

Thus, it was found that the controller did not implement adequate technical and organisational measures in order to ensure a level of security corresponding to the risk of the processing, including the ability to ensure integrity in order to guarantee the security of the processing and it did not take adequate measures to ensure that any natural person who acts under the authority of the controller or the processor and has access to personal data only processes them at the request of the controller.

At the same time, the controller was ordered the corrective measure of establishing an inspection/audit plat within the processor, so as to avoid similar security incidents.

The controller paid the established fine.

 

Legal and Communication Department

A.N.S.P.D.C.P