Hora Credit IFN SA
Insufficient technical and organisational measures to ensure information security
Datum rozhodnutí
10. prosince 2019
Úřad
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
RO
Sektor
Finance, Insurance and Consulting
Země
RO
Právo
GDPRStav
FINALPopis
The sanctions were applied as a result of a complaint alleging that Hora Credit IFN SA transmitted documents containing personal data of another person to a wrong e-mail address. Following the investigation it was found that Hora Credit IFN SA processed the data without providing effective mechanisms for verifying and validating the accuracy of the data collected processed according to the principles set out in art. 5 of the GDPR. It was also found that the operator did not take sufficient security measures for personal data, according to art. 25 and 32 of the GDPR, so as to avoid unauthorized and accessible disclosure of personal data to third parties. At the same time, Hora Credit IFN SA did not notify the Supervisory Authority of the security incident that was brought to its notice, according to art. 33 of the GDPR, within 72 hours from the date it became aware of it. The fine consists of three partial fines of EUR 3000, EUR 10000 and EUR 1000.