Penalty against law firm
A Romanian legal and tax law firm was fined €3000 by the local data protection authority.
On the company’s website, interested entrepreneurs can purchase various products of the company. Among other things, the firm offers various products on the topic of data protection and DSGVO. In addition to the online store, the online presence provides various information on this topic. For example, DSGVO consulting hours can also be booked.
During the period from December 10, 2018 to February 1, 2019, all orders were available for public review from this website. The following data were available for viewing:
- First and last name of the orderer
- Company name
- E-Mail Adresse
- all news and details about the order
The data could be accessed by anyone or everyone via two links. This circumstance is a significant technical deficiency and thus a violation of Section 32 of the General Data Protection Regulation.
Therefore, the authority imposed a fine in the amount of Leu 14,173.50, which corresponds to an equivalent of approximately € 3000. A small penalty, considering that the company concerned has positioned itself as an expert on GDPR issues. Even compared to other fines in Romania, the amount of the penalty is surprising.
A correct technical implementation of your own website is essential to meet the requirements of the GDPR. If a company ignores this requirement, it not only risks a fine from the authorities, but also loses the trust of its own customers. Therefore, when implementing the GDPR, not only should you make sure that the required documentation is in place, but you should also take the opportunity to subject your IT security to a thorough audit.
With easyGDPR you can do both together. The program not only queries all the necessary information on the topic of data protection and DSGVO but also gives you an insight into your network security. Should any vulnerabilities emerge, the program will give you clear and easy-to-understand recommendations to best protect the data of you and your customers.
Art des Verstoßes:
Waren sensible Daten betroffen?:
Violation of GDPR Paragraph:
32. Security of processing