In the more than 5 years since the implementation of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) in Romania, companies have taken many measures to comply with the requirements of the law, but continuous compliance is still an important topic on the agenda of any society. The main actions observed in recent years related to updating processes and documentation, considering the data protection implications of new projects, supporting training for company employees, and in some cases resolving incidents of data security breaches.
Over the past 2 years, intensive activity has also been observed on the part of the National Authority for Control over the Processing of Personal Data (“ANSPDCP“), especially in relation to control activities.
The main change observed in 2023 concerns the total amount of fines applied. Thus, 2023 brought an increase in the total amount of fines, which doubled compared to 2022. However, the number of fines applied varies slightly. In 2022, the ANSPDCP applied the highest number of fines since the GDPR came into force, with 69 fines (according to the Annual Activity Report). In 2023, the number of GDPR fines was lower than in the previous year – 60 fines (according to information on the ANSPDCP website), but the average value was higher.
It is also interesting to note that 2 fines were also applied in 2023 for non-compliance with the cookie requirements of Law 506/2004, unlike in 2022 when only warnings were applied for non-compliance. These were the sums of 10,000 and 40,000 lei.
As a general observation, apart from the difference in the total amount of fines, ANSPDCP practice was generally relatively consistent, the main reason for the sanctions being, moreover, the lack of adequate technical and organizational measures to ensure data security.
Thus, the main reasons that led to the application of sanctions by the ANSPDKP over the past 2 years were:
- the absence of appropriate technical and organizational measures, especially in the context where their absence has led to security incidents (for example, unauthorized data transfer/access);
- processing of personal data without a legal basis for processing (including regarding special categories of data);
- failure to observe the rights of data subjects (objection to marketing communications, right of access and erasure);
- violations related to the information of interested persons;
- non-compliance with the principles of the GDPR (e.g. purpose limitation, data minimization, accuracy, storage limitations);
- failure to comply with corrective measures applied by the ANSPDCP;
- failure to provide information requested by the ANSPDCP;
- lack of notification to ANSPDCP and interested parties in case of data breach incidents;
- non-compliance with the provisions regarding the storage of information or obtaining access to information stored in the user’s end equipment (cookies), provided for by Law 506/2004;
- non-compliance with the requirements for ensuring data protection from the moment of conception (privacy by design) and by default (privacy by default);
- the operator did not ensure that the persons acting under his direction process the data only at his request;
- hiring another authorized person without the permission of the operator.
The article was signed by Ioan Dumitrescu (partner), Diana Havra (senior lawyer), Christiana Buleanu (lawyer)
Source: Hot News
Ashley Bailey is a talented author and journalist known for her writing on trending topics. Currently working at 247 news reel, she brings readers fresh perspectives on current issues. With her well-researched and thought-provoking articles, she captures the zeitgeist and stays ahead of the latest trends. Ashley’s writing is a must-read for anyone interested in staying up-to-date with the latest developments.