ANSPDCP (Romania) - NTT Data Romania SA
| ANSPDCP - NTT Data Romania SA | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 32(2) GDPR Article 33(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 25.03.2025 |
| Fine: | 124,432.50 RON |
| Parties: | NTT Data Romania SA |
| National Case Number/Name: | NTT Data Romania SA |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO) |
| Initial Contributor: | elu |
The DPA fined a consulting and IT services company RON 124,432.50 (€25,000) after a data breach caused by a cyberattack. The company failed to implement sufficient security measures and failed to notify the DPA within 72 hours.
English Summary
Facts
Consulting and IT services company NTT Data Romania SA (the data controller) suffered a data breach due to a cyberattack. Personal data from a significant number of data subjects were unlawfully accessed. The data included names, signatures, addresses, contract information, identity documents, employment and financial data, and data about employees' health. The controller reported the breach to the Romanian DPA.
Holding
The DPA investigated the breach and found that the controller failed to implement appropriate securit measure, and to monitor their effectiveness. The DPA also found that the controller failed to report the breach within 72 hours.
The DPA fined the controller RON 124,432.50 (€25,000) for violating Article 32(1)(b), (d) and (2) GDPR, as well as Article 33(1) GDPR
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
25.03.2025 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed, in February 2025, an investigation at the operator NTT DATA ROMÂNIA S.A. and found a violation of art. 32 para. (1) let. b) and d), para. (2) and art. 33 para. (1) of Regulation (EU) 2016/679. As such, the operator was sanctioned with: - a fine in the amount of 124,432.50 lei, equivalent to the amount of 25,000 euros, for violating the provisions of art. 32 para. (1) let. b) and d), para. (2) of Regulation (EU) 2016/679. - a warning for violating the provisions of art. 33 para. (1) of Regulation (EU) 2016/679. The investigation was initiated following the transmission by the operator NTT DATA ROMÂNIA S.A. of a personal data breach notification, in accordance with the provisions of art. 33 of Regulation (EU) 2016/679. During the investigation, it was found that, following a cyber attack, the operator's IT infrastructure was accessed and thus personal data were extracted in an unauthorized manner. As such, it was found that the operator did not implement appropriate technical and organizational measures and did not periodically test, evaluate and assess the effectiveness of the technical and organizational measures to guarantee the security of data processing, including the ability to ensure the confidentiality, integrity, availability and continued resilience of the processing systems and services. In this context, we would like to point out that this situation led to unauthorized access to personal data of a significant number of individuals concerned, such as: name, surname, signature, address, telephone number, e-mail address, gender, nationality, copies of identity documents, marriage certificates, passports, birth certificates, employment information and financial information: invoices, contracts, budget plans, educational information (records of training courses, participation in training courses, CVs, diplomas), sensitive data regarding the health of employees. Also, during the investigation, it was found that the operator did not notify the Supervisory Authority within 72 hours from the date on which it became aware of the personal data breach incident, thus violating the provisions of art. 33 para. (1) of the GDPR. The operator paid the established fine. Legal and Communication Department A.N.S.P.D.C.P
