Punishment against law firm
A Romanian law firm and tax office was fined € 3,000 by the local data protection authority.
prehistory
On the website of the company interested entrepreneurs can purchase various products. Among other things, the law firm offers a variety of privacy and GDPR related products. In addition to the shop, the online presence provides various information on this topic. For example, GDPR consulting hours can also be booked.
In the period from December 10th, 2018 to February 1st, 2019 all orders from this website could be viewed publicly. The following data was available:
- First and last name of the customer
- Company name
- e-mail address
- phone number
- complete order details
The data could be accessed by anyone via two links. This circumstance is a significant technical defect and therefore a violation of paragraph 32 of the General Data Protection Regulation.
Therefore, the authority imposed a fine in the amount of Leu 14.173,50, which corresponds to an equivalent of about € 3000, -. A small penalty, considering that the company has positioned itself as an expert on GDPR issues. Also, compared to other fines in Romania, the penalty is surprising.
Conclusion
Proper technical implementation of your own website is essential to meet the requirements of the GDPR. If a company ignores this requirement, it not only risks a fine from the authorities, but also loses the trust of its own customers. Therefore, implementing the GDPR in your company should be seen as an opportunity to scrutinize IT security.
With easyGDPR you can do both together. The program not only retrieves all the necessary information on privacy and GDPR but also gives you an insight into your network security. If there are weaknesses, the program gives you clear and easy-to-understand recommendations to best protect the data of you and your customers.
Source: Article from Romanian Data Protection Authority
Entscheidungsdatum:
15.07.2019
Land:
Romania
Art des Verstoßes:
technical deficiency
Betroffene Datensätze:
unknown
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 3,000,-
Violation of GDPR Paragraph:
32. Security of processing
Quelle: