“My Cluj” Users Personal Data Published on Public Platform

Published by:

Published on:

Tags:

Short link:

https://clujxyz.com/s/nj8sp

Cluj-Napoca has done an excellent job at converting many of it’s processes to online applications or forms, however, it seems that some old habits die hard and staff have been publishing names / email addresses as well as other personal information into the public eye.

The “My Cluj” platform, was launched in 2017 with an aim for citizens to send notifications directly to the city hall either from their web browser, or from their mobile device using an application. At any point, anybody with access to the web can view a map of all the current issues that have been reported in the area and their status.

Cluj XYZ identified at least 7 instances where users of the My Cluj platform has had their full name and personal email address published to the website in the response from the city hall and other public authorities.

A representative of TAB Law, a local law firm, confirmed that this would be a breach of the GDRP regulations and in fact, the website itself even informs that the data will be protected according to the privacy policy, and used in compliance with the right to privacy and applicable laws.

4. CONFIDENTIALITY AND SECURITY OF PERSONAL DATA

…Any information provided by you or collected by the City Hall of Cluj-Napoca when you use the application “MyCluj–Cluj-Napoca Sesizări” is subject to the Privacy Policy of “MyCluj–Cluj-Napoca Sesizări“, the terms of which are included in these Terms and Conditions of Use. The “MyCluj–Cluj-Napoca Sesizări” application stores personal information (from the accounts through which you log in to access the application (name, surname, e-mail, phone ID), as well as information about the location of your phone…

The application “MyCluj–Cluj-Napoca Sesizări” processes personal data and information held / transmitted by you in good faith, ensuring compliance with the right to privacy and applicable law.

However, under GRDP regulations, any personal email address (such as Gmail, Yahoo, Outlook etc) which has been published online without the consent of the submitter is considered a breach of GDPR. This also includes any email address, including company email addresses, which include the full name of the recipient, such as [email protected]

The below censored images are screenshots taken from the website where the user’s personal information, which included their full name was published.

We attempted to locate the Privacy Policy referred to in the terms and conditions, however, we were not able to locate any privacy policy on the entire application, nor on the website, as there is no cookie notice with links to the terms and conditions / privacy policy, which is also something required under GDPR.

We were eventually able to locate a privacy policy submitted by the developer from within the iOS App Store, which is available here: https://mycluj.e-primariaclujnapoca.ro/privacy-policy-mycluj-mobile/privacy-policy.html

The privacy policy writes that: “According to Law no. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data and Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, Cluj-Napoca City Hall is obliged to process personal data provided by you or another person, in compliance with security measures and for the purpose communicated.”

It further continues by adding: “The processing of personal data is carried out by automatic means, in compliance with legal requirements and under conditions that ensure security, confidentiality and respect for the rights of data subjects.”

However, we received information from one of the people affected by this breach of their personal information, that they did not consent for this information to be published into the public domain and the law firm also confirmed that there’s no purpose to share this personal contact information on the platform, as they would have only needed to email the user directly and provide a response on the website, excluding any personal information.

There are thousands of submissions on the platform at any time, and it seems that only a handful of those include personal information, which suggests that this is either an oversight or a bad practice.

A Risk to Safety?

Users have the ability to submit complaints regarding issues which they feel affect their quality of life, in some instances, this can be illegally parked vehicles, noise pollution complaints and even unauthorised constructions. Users of the platform submit these concerns to the city hall with the expectation that this information will remain confidential and only used for the purposes that it was intended, and that is to allow the city hall to respond to their report and follow-up if needed.

The fact that this personal information has been made publicly available, poses the question as to whether this information could be used in retaliation to the original complaint, if it were to end up in the wrong hands.

We have notified the City Hall and Mayor Emil Boc of our findings. Should there be any further developments, we will provide an update.

Published by:

Published on:

Tags:

Short link:

https://clujxyz.com/s/nj8sp
NATO 2022 Summit
Following the adoption of the new NATO Strategic Concept, Romanian President, Klaus Iohannis informed that Romania has fulfilled all of its objectives during this summit.
Romania is currently experiencing a heatwave, with temperatures reaching up to 40°C in the shade, in some areas of the country.
Following the adoption of the new NATO Strategic Concept, Romanian President, Klaus Iohannis informed that Romania has fulfilled all of its objectives during this summit.
Romania is currently experiencing a heatwave, with temperatures reaching up to 40°C in the shade, in some areas of the country.
Total
44
Share