ANSPDCP (Romania) - Fine against Fundația Pro Economica – Pro Economica Alapítvány
| ANSPDCP - Fine against Fundația Pro Economica – Pro Economica Alapítvány | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 10.09.2024 |
| Fine: | 4,976.70 RON |
| Parties: | Fundația Pro Economica – Pro Economica Alapítvány |
| National Case Number/Name: | Fine against Fundația Pro Economica – Pro Economica Alapítvány |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | fb |
The DPA fined a controller RON 4,976.70 (€1,000) after a data breach led to the unlawful disclosure of personal data. The DPA held that the controller had not implement adequate organisational measures to prevent unauthorised parties to access their servers.
English Summary
Facts
The controller experienced a data breach, which occurred as a result of a hacking attack that deleted personal data from the controller's server, thus affecting the availability of stored data.
The controller notified the data breach to the DPA.
Holding
First, the DPA held that the controller did not implement adequate technical and organisational measures to ensure a level of security appropriate to the processing risk, including the ability to ensure the confidentiality, integrity, availability and continuous resilience of the processing systems and services. This led to the deletion of the data on its own server and their unavailability for a certain period of time.
Moreover, the DPA found that the consequence of the data breach at hand was the unauthorised access to personal data (such as name, surname, ID number, address, e-mail, telephone number, function, salary, allowance, amount of grant received, goods purchased with the grant and signature of the legal representative) of data subjects.
On these grounds, the DPA issued a fine of RON 4,976.70 (€1,000) and ordered the controller to update its technical and organizational measures regarding the security of personal data processed through the IT infrastructure used, in particular those concerning the connection to the data servers from outside the network.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
10.09.2024 Penalty for GDPR violation The National Supervisory Authority for the Processing of Personal Data completed in August 2024 an investigation at the Pro Economica Foundation – Pro Economica Alapítvány and found a violation of the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation. As such, the Pro Economica Foundation – Pro Economica Alapítvány was penalized with a fine of 4,976.70 lei (the equivalent of 1000 EURO). The investigation was started as a result of the transmission by the operator of the notification of violation of the security of personal data. The breach of data security occurred as a result of a computer attack through which personal data was deleted from the Foundation's own server, thus affecting the availability of stored data. From the checks carried out, it emerged that the operator did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk, including the ability to ensure the confidentiality, integrity, availability and continuous resistance of processing systems and services, which leading to the deletion of existing data on the own server and their unavailability for a certain period of time. Consequently, this breach led to unauthorized access to personal data (such as surname, first name, CNP, address, e-mail, telephone number, position, salary, allowance, amount of non-refundable financing he benefited from, purchased goods from the non-reimbursable financing and the signature of the legal representative) of some concerned persons. At the same time, under art. 58 para. (2) lit. d) from the General Regulation on Data Protection, it was ordered towards the operator Fundația Pro Economica – Pro Economica Alapítvány and the corrective measure to review and update the technical and organizational measures implemented regarding the security of personal data processed through the IT infrastructure used, especially those which concern connecting from outside the network to the data servers. Legal and Communication Department A.N.S.P.D.C.P.
