In First GDPR Fine, the Romanian DPA mixes the old and the new
Author: Roxana Ionescu, head of Data Protection
In applying its fine, the Romanian data protection authority has reinforced its past practice on minimizing the processing of personal numeric codes (equivalent to social security numbers) while making use of new concepts under the General Data Protection Regulation, like the accountability principle and data protection by design and by default.
What we know?
On 4 July 2019, the Romanian Authority for the Supervision of Personal Data Processing (the “Romanian DPA”) announced that it applied the first fine under GDPR:
- the sanctioning entity: a banking institution
- the deed: disclosing payers’ addresses and, in some cases, personal numeric codes to recipients of payments done via the banking institution’s online system; such information was also reflected in bank statements
- number of affected persons: 337,042
- duration of breach: 25 May – 10 December 2018
- amount of fine: EUR 130,000
GDPR provisions in question
In applying the sanction, the Romanian DPA argued that the bank breached the data protection by design and by default requirement under Article 25 of GDPR by not ensuring data minimization in its controlled activities.
What does the first GDPR fine indicate?
For those of us working in the data protection field in Romania, the Romanian DPA applying the first GDPR fine for breach of data minimization requirement does not come as a surprise. On one hand, this requirement (also in place before GDPR) has been the most invoked principle in the DPA’s control and enforcement activities in the past 10 years. On the other hand, the Romanian DPA has consistently opposed the processing of the personal numeric code as a standard practice. It went so far as to issue a decision back in 2011 restricting the legal basis for such processing to express legal obligation or consent. With that decision repealed as of 25 May 2018, it seems that the Romanian DPA has found another way to reinforce the controllers’ need to limit the use of this type of data, having a general identification function, in their various processes.
What was somewhat notable for this decision is that the DPA has reinforced its past practice by relying on new concepts introduced by GDPR. Thus, the fine was ultimately applied not for the breach of the data minimization principle, but for the breach of the data protection by design and by default requirement under Article 25 of GDPR. It also cited Preamble (78) of GDPR and, in particular, the controller’s need to be able to demonstrate compliance with this Regulation, including by adopting internal policies and implementing measures which meet in particular the principles of data protection by design and data protection by default, such as measures meant to minimize the processing of personal data and to pseudonymise personal data. By doing this, the DPA has underlined the need for controllers to not only seek GDPR compliance, but also be able to document and prove such compliance for all their processes.
Where do controllers stand after this fine?
Prior to the DPA’s announcement, some have voiced the concern that the focus on GDPR compliance was losing momentum in Romania. The Romanian DPA’s shift from leniency to active enforcement of GDPR sanctions will for sure mitigate any such risk. In practical terms, what controllers need to do is to make sure they continue to take a closer look to their processes and document GDPR compliance, including by reference to data protection by design and by default requirements. They should also keep an eye on the Romanian DPA’s enforcement actions, as it is probable that the authority will opt to send other signals by way of enforcement actions.