Cluj-Napoca has done an excellent job at converting many of it's processes to online applications or forms, however, it seems that some old habits die hard and staff have been publishing names / email addresses as well as other personal information into the public eye.
The “My Cluj” platform, was launched in 2017 with an aim for citizens to send notifications directly to the city hall either from their web browser, or from their mobile device using an application. At any point, anybody with access to the web can view a map of all the current issues that have been reported in the area and their status.
Cluj XYZ identified at least 7 instances where users of the My Cluj platform has had their full name and personal email address published to the website in the response from the city hall and other public authorities.
…The application “MyCluj–Cluj-Napoca Sesizări” processes personal data and information held / transmitted by you in good faith, ensuring compliance with the right to privacy and applicable law.…
However, under GRDP regulations, any personal email address (such as Gmail, Yahoo, Outlook etc) which has been published online without the consent of the submitter is considered a breach of GDPR. This also includes any email address, including company email addresses, which include the full name of the recipient, such as [email protected].
The below censored images are screenshots taken from the website where the user's personal information, which included their full name was published.
It further continues by adding: “The processing of personal data is carried out by automatic means, in compliance with legal requirements and under conditions that ensure security, confidentiality and respect for the rights of data subjects.”
However, we received information from one of the people affected by this breach of their personal information, that they did not consent for this information to be published into the public domain and the law firm also confirmed that there's no purpose to share this personal contact information on the platform, as they would have only needed to email the user directly and provide a response on the website, excluding any personal information.
There are thousands of submissions on the platform at any time, and it seems that only a handful of those include personal information, which suggests that this is either an oversight or a bad practice.
A Risk to Safety?
Users have the ability to submit complaints regarding issues which they feel affect their quality of life, in some instances, this can be illegally parked vehicles, noise pollution complaints and even unauthorised constructions. Users of the platform submit these concerns to the city hall with the expectation that this information will remain confidential and only used for the purposes that it was intended, and that is to allow the city hall to respond to their report and follow-up if needed.
The fact that this personal information has been made publicly available, poses the question as to whether this information could be used in retaliation to the original complaint, if it were to end up in the wrong hands.
We have notified the City Hall and Mayor Emil Boc of our findings. Should there be any further developments, we will provide an update.