Home » Comunicat_Presa_16_03_2023
 Română | English | Francais

16.03.2023

Sanctions for the GDPR infringement

 

The National Supervisory Authority finalized in February 2023 two investigations at controllers from the medical field.

The investigations were started following some intimations received from natural persons that claimed a possible infringement of the (EU) Regulation 2016/679.

Therefore, it was found that:

  1. The controller Centrul Medical Dr. Furtuna Dan breached the provisions of Article 32 paragraph (1) letter b) and Article 32 paragraph (2) of Regulation (EU) 2016/679 and was sanctioned with fine in amount of Lei 4,918.5 (the equivalent of EUR 1,000).
  2. The controller Med Life S.A. breached the provisions of Article 32 paragraph (1) letter b) and Article 32 paragraph (2) and paragraph (4) of Regulation (EU) 2016/679 and was sanctioned with fine in amount of Lei 14,775.5 (the equivalent of Eur 3,000).
  1. Within the investigation, the National Supervisory Authority found that the controller Centrul Medical dr. Furtuna Dan provided on the telephone number of a natural person, through the WhatsApp application, a message that contained the result of two medical tests pertaining to another two data subjects.

From the verifications performed, it resulted that the controller Centrul Medical Dr. Furtuna Dan did not implement adequate technical and organsiational measures in order to ensure a level of security corresponding to the risk of the processing, including the capacity to ensure the continuous resistance of the processing systems and services.

Consequently, this breach led to the breach of the confidentiality of the processed data through the unauthorized disclosure and unauthorized access to certain personal data (such as the first name and last name, PIN, telephone number, result of the medical test) provided through the WhatsApp application.

At the same time, also the corrective measure to review and update the technical and organizational measures implemented following the evaluation on the risk for the persons’ rights and liberties, including of the working procedures for the personal data protection was applied. Also, it was ordered to the controller to implement a registry for all the cases of breach of the personal data security, that will include a description of the in-fact situation regarding the breach of the personal data security, its effects and the mention of the remedy measures taken, according to Article 33 paragraph (5) from the Regulation (EU) 2016/679.

  1. Within the investigation performed at the controller Med Life SA, following an intimation, it was found that a patient received, by e-mail, in addition to his own investigations report, several files attached that contained the results of some investigations pertaining to another five patients. The documents attached contained the first name, last name, date of birth, date of examination, reason of the examination, the result of the investigation (examination), diagnosis, the conclusions resulting following the medical examination.

Therefore, it resulted that the controller Med Life S.A. did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of the processing, generated specifically, accidentally or illegally, by the unauthorized disclosure of the personal data stored or processed in another manner, including the capacity to ensure their confidentiality.

Also, it was found that the controller Med Life SA did not take measures to ensure the fact that any natural person acting under the controller’s authority and that has access to the personal data processes them solely at the request of the controller.

Based on Article 58 paragraph (2) letter d) of the Regulation (EU) 2016/679 also the corrective measure to review and update the technical and organizational measures implemented following the evaluation of the risk for the persons’ rights and freedoms, including of the working procedures regarding the protection of personal data, as well as the implementation of a notification procedure for the breach of the personal data security was  was ordered to the controller.

 

Legal and Communication Department

A.N.S.P.D.C.P.