ANSPDCP (Romania) - Beko Romania SA
| ANSPDCP - Beko Romania SA | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 32(2) GDPR Article 33 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 03.03.2025 |
| Published: | |
| Fine: | 49,766 RON |
| Parties: | Beko Romania SA |
| National Case Number/Name: | Beko Romania SA |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO) |
| Initial Contributor: | elu |
The DPA fined a home appliances online shop RON 49,766 (€10,000) for failing to conduct testing, evaluation and assessment. This failure led to a data breach, which involved name, surname, contact and product details of numerous data subjects.
English Summary
Facts
An employee of a home appliances online shop, the controller, notified a data breach to the DPA, as per Article 33 GDPR.
The DPA started an investigation, that revealed that an unauthorized person took advantage of a programming vulnerability and, consequently, accessed the website of the operator containing its customers’, the data subjects’, database.
Thus, the person concerned had access to the personal data of a large number of data subjects of the operator, namely: name, surname, telephone number, e-mail address, domicile, product details.
The investigation revealed that the controller did not carry out the regular testing, evaluation and assessment of the efficiency of technical and organisational measures to ensure the security of the processing.
Holding
The DPA held that the controller did not implement the appropriate technical and organizational measures, either at the time of establishment of the means of processing, or during the processing itself, as required by Article 32 GDPR.
This is further aggravated by the lack of regular testing, evaluation and assessment that the investigation revealed.
The DPA found a breach of Article 32(1)(b), (d) and Article 32(2) GDPR deemed it appropriate to fine the controller RON 49,766 (€10,000).
The DPA further ordered the controller to implement a data volume analysis system of their IT infrastructure.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
03.03.2025 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed, in February 2025, an investigation at the operator BEKO ROMÂNIA SA and found a violation of the provisions of art. 32 para. (1) letter. b) and d) art. 32 para. (2) of Regulation (EU) 2016/679. As such, the operator was sanctioned with a fine in the amount of 49,766.00 lei (equivalent to 10,000 EURO). The investigation was initiated following a notification of a personal data breach, in accordance with the provisions of art. 33 of Regulation (EU) 2016/679. During the investigation, it was found that an unauthorized person, who took advantage of a programming vulnerability, illegally accessed the operator's website containing its customer database. Thus, the person in question had access to the personal data of a large number of the operator's customers, namely: name, surname, telephone number, e-mail address, domicile, product details. As a result, it was found that BEKO ROMÂNIA SA did not implement appropriate technical and organizational measures, neither when establishing the means of processing, nor during the processing itself. It was also found that the operator did not carry out the periodic testing, evaluation and assessment of the efficiency of the technical and organizational measures to guarantee the security of the processing. This situation led to unauthorized access by a third party to personal data, in violation of the provisions of art. 25 para. (1) in conjunction with 32 para. (1) let. b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679. Pursuant to art. 58 para. (2) let. d) of Regulation (EU) 2016/679, the operator was ordered to implement, from a technical and organizational perspective, a data volume analysis system in the IT infrastructure of the company BEKO ROMÂNIA SA, including performing a back-up on it. We note that the operator paid the fine applied. Legal and Communication Department A.N.S.P.D.C.P
