The most important moment for companies in our country, after the entry into force of the GDPR, was on June 27, when the National Supervisory Authority for the Processing of Personal Data (ANSPDCP) imposed the first fine, in the amount of approximately 130,000 euros, for the violation of regulation 2016/679 by a banking institution, according to a Deloitte release.
When making a payment, regardless of whether it was initiated by an account holder at the sanctioned bank or by a third party user of the interbank payment system, the CNP and the address of the payer were accessible to the payee through the account statement or through the payment details provided by the bank. Following the investigation, ANSPDCP concluded that the processing of this data violates the principle of data privacy by design, according to which the operators have the obligation, from the moment of the creation of the processing process until its completion, to implement appropriate technical and organizational measures in relation to the nature and the risks of the processing, as well as the technological and financial possibilities, to ensure compliance with the GDPR, the release states.
The principle of data privacy by design - legal implications and on IT systems
The principle of data privacy by design acts as an umbrella and involves the incorporation of the other principles of the GDPR under a single provision – for example, the principle of data minimization. Compliance with data privacy by design involves a preliminary stage of processing risk assessment, through which operators identify possible measures to be implemented. Moreover, in addition to the evaluation of a legal nature (for example, the identification of the data processed as necessary in relation to the purposes, the retention period, the basis used, etc.), this principle implies the thorough verification of the IT infrastructure (systems, applications, etc. ), followed by its remodeling, if non-conformities are identified. Thus, compliance with data privacy by design cannot be achieved by simply adopting procedures and policies, but only through the implementation and periodic testing of the proper functioning of systemic changes that ensure compliance with procedures and policies in the field of data protection. The implementation of a new business process or a new software within the company should be done with the support of those responsible for data protection, according to the specified source.
Regarding the proportionality of the fine, it is interesting to mention that the violation of the principle of data privacy by design is covered by the GDPR with a maximum fine of 10 million euros or 2% of the annual global turnover, and not at the upper threshold of 20 million euros or 4%. In addition, in individualizing the amount of the fine, ANSDPCP had to take into account the large number of persons concerned - 337,042 - and other aspects, such as the categories of data involved, the intention or negligent nature of the operator's act, potential actions to reduce the damage suffered by the persons targeted etc.
Our country, the second largest fine in Central and Eastern Europe
Compared to the fines granted in Central and Eastern Europe, the sanction imposed by ANSPDCP is the second largest after the fine issued, after the one of 220,000 euros in Poland regarding the Bisnode case, which used personal data from public sources without respecting obligations to inform the persons concerned. Thus, based on a study carried out by Deloitte Legal in Central and Eastern Europe, the amount of this first fine places Romania at the top of the fines granted in this first year of GDPR application. The study also reveals that, in Bulgaria, the largest fine did not exceed 27,000 euros, in Hungary, 40,000 euros, and in Lithuania, 61,500 euros.
Procedural and judicial consequences
From the official data communicated by ANSPDCP, at the end of May 2019, approximately 1,000 investigations were underway and it is expected that the entities that will be subject to sanctions and corrective measures will challenge these decisions in court.
The appeals registered in the administrative and fiscal litigation sections of the courts suspend only the payment of the fine, not the obligation to apply corrective measures, so most likely they will be doubled by applications for the suspension of corrective measures, based on the provisions of the Administrative Litigation Law, show Deloitte representatives.