After more than a year from the entering into force, on 25th of May 2018, of the General Data Protection Regulation (GDPR), we are now facing another period of concerns generated by the first fines applied by the National Supervisory Authority for Personal Data Processing (ANSPDCP). During only a few days (27 June – 5 July 2019), the authority has applied three fines: EUR 130,000 to a bank, EUR 15,000 to a hotel and EUR 3,000 to a company offering consultancy services with respect to the protection of personal data. All these fines are the result of the investigations initiated either based on complaints made by the interested person or following a security breach notification made by the data controller. Moreover, the authority has updated its webpage to facilitate the access of the interested persons to the complaint procedure, a procedure which was significantly simplified to allow for the complaint form to be filled in online. A complaint department has also been organized within ANSPDCP. It is thus easy to anticipate that the number of complaints to be registered with the authority as well as the number of investigations and sanctions to be applied will increase significantly.
In this context, our colleague, Nicoleta Gheorghe, talked about the measures a company may take before, during and after the investigation conducted by ANSPDCP as per the applicable legal provisions.
The article was published, inter alia, on: