Article by Silvia Axinescu, Senior Managing Associate at Reff & Associates, Luiza Ionescu, Managing Associate at Reff & Associates, and Adrian Ifrim, Risk Advisory Manager at Deloitte Romania
The most important moment for the Romanian companies after the entry into force of GDPR was certainly June 27, 2019, when the National Authority for Personal Data Processing Supervision (ANSPDCP) imposed the first fine in the amount of approximately 130,000 euros , for breach of regulation 2016/679 by a banking institution.
Why was the fine imposed?
When making a payment, whether it was initiated by an account holder with the sanctioned bank or a third-party user of the interbank payment system, the CNP and payer's address was accessible to the payee through the statement of account or payment details provided by the bank. Following the investigation, ANSPDCP concluded that the processing of these data is in breach of the privacy privacy by design principle, according to which the operators are required to implement appropriate technical and organizational measures in relation to the nature and the timing of the processing process processing risks, and technological and financial possibilities to ensure compliance with GDPR.
Privacy Principle Principle - Legal Implications on IT Systems
The privacy by design principle acts as an umbrella and implies the incorporation of the other GDPR principles under a single provision - for example, the principle of minimizing data. Compliance with privacy by design data involves a preliminary risk assessment process, through which operators identify possible measures to be implemented. Moreover, in addition to the legal assessment (for example, identification of the data processed as necessary in relation to the purposes, retention period, use, etc.), this principle requires a thorough verification of the IT infrastructure (systems, applications, etc.). ) followed by remodeling if nonconformities are identified. Thus, respecting the privacy by design date can not be achieved simply by adopting procedures and policies, but only by implementing and periodically testing the smooth operation of system changes that ensure compliance with data protection procedures and policies. Implementing a new business process or new software within the company should be done with the support of data protection officers.
The best way to verify whether both technical and non-technical controls work is to simulate periodically a cyber incident that results in unauthorized access to personal data.
To perform this exercise, the team must identify the data that was accessed, the systems that stored the information and the affected business processes. This type of test will oblige the internal teams to verify that the existing information is up to date.
Similarly, as a result of these exercises, companies can identify processes or applications that allow external providers access to data, access that may not have been documented in advance or that is not warranted. At the same time, for processes that have been properly documented at the time of implementation, a company can realize that existing information requires a higher level of detail.
As regards the proportionality of the fine, it is interesting to note that the breach of the principle of data privacy by design is framed by GDPR at a fine of no more than EUR 10 million or 2% of the global annual turnover rather than the upper limit of 20 million or 4%. In addition, in the individualization of the amount of the fine, the ANSDPCP had to consider the large number of target persons - 337,042 - and other aspects, such as the data categories involved, the intention or negligence of the operator's deed, potential actions to mitigate the harm suffered by the persons targeted, etc.
Romania, the second largest fine in Central and Eastern Europe
In relation to fines in Central and Eastern Europe, the sanction imposed by ANSPDCP is the second largest after the fine issued after the 220,000 euros in Poland regarding the Bisnode case, which uses personal data from public sources without respecting the information obligations of the persons concerned. Thus, based on a study conducted by Deloitte Legal in Central and Eastern Europe, the amount of this first fine places Romania on top of the fines granted in this first year of application of the GDPR. The study also shows that in Bulgaria the highest fine did not exceed 27,000 euros, in Hungary 40,000 euros, and 61,500 euros in Lithuania.
The financial and banking industry was at the forefront between the most concerned by ANSPDCP investigations, both before and after the entry into force of GDPR. Moreover, ANSPDCP has reported that the complaints and complaints received were related to the violation of the principles of personal data processing in the banking system and the privacy and security rules for personal data processing.
Consequences in procedural and judicial terms
From the official data communicated by ANSPDCP, about 1,000 investigations were in progress at the end of May 2019 and it is expected that entities subject to sanctions and corrective actions will challenge these decisions in court.
Complaints filed with the courts for administrative and fiscal litigation suspend only the payment of the fine, not the obligation to apply corrective measures, so they will most likely be duplicated by requests for suspension of corrective measures under the provisions of the Administrative Litigation Act.
In the absence of crystallized jurisprudence on the different typologies of violations brought to the legislation in question, as well as the fact that the previous legislation provided for significantly lower thresholds for fines (about 10,000 euros), the courts would have to establish their own optician of these causes. We will therefore have a potential non-unitary practice at national level.
Shortly after the first fine, ANSPDCP announced two more sanctions, worth 15,000 and 3,000 euros, respectively. It remains to be seen if their value and frequency will increase, given the appetite of the injured persons to make and direct actions in court (actions exempt from the stamp duty), while the introduction of such actions does not prevent the simultaneous ANSPDCP, nor does it oblige ANSPDCP to suspend or classify complaints.