ANSPDCP (Romania) - Softehnica S.R.L
ANSPDCP - Softehnica S.R.L | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 32(2) GDPR Article 32(3) GDPR Article 33 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 23.01.2025 |
Fine: | 24,866 RON |
Parties: | Softehnica S.R.L |
National Case Number/Name: | Softehnica S.R.L |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO) |
Initial Contributor: | elu |
The DPA fined an IT company RON 24,866 (€5,000) as the lack of appropriate technical and organisational measures enabled a ransomware attack, resulting in the unlawful disclosure of data subjects’ names, home addresses, e-mail addresses and contact details.
English Summary
Facts
The DPA started an investigation against the IT company Softehnica S.R.L, the controller, after a data breach was notified pursuant to Article 33 GDPR.
The investigation by the DPA revealed that the controller´s IT infrastructure was accessed as a result of a ransomware attack.
Holding
The DPA considered that the ransomware attacked happened due to the lack of technical and organisational measures. Moreover, the controller did not implement regular testing, evaluation and assessment of the effectiveness of technical and organisational measures already in place. This entailed that both the security of data processing, including the ability to ensure the confidentiality, integrity, availability and continuous resilience of the processing systems and services could not be assured.
As a consequence of this failures, name, surname, home address, e-mail address and contact details of data subjects were disclosed unlawfully, in breach of Article 32(2) and 32 (3) GDPR.
The DPA deemed it appropriate to impose a fine of RON 24,866 (€5,000) to the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
23.01.2025 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the operator Softehnica S.R.L and found a violation of art. 32 par. (1) letter. b), d) and par. (2) of Regulation (EU) 2016/679. As such, the operator was sanctioned with a fine in the amount of 24,866 lei (equivalent to the amount of 5000 Euros). The investigation was initiated following the transmission by the operator Softehnica S.R.L of a notification of a personal data security breach, according to the provisions of art. 33 of Regulation (EU) 2016/679. The investigation found that, following a Ransomware-type cyber attack, the operator's IT infrastructure was accessed. In this context, it was found that the operator did not implement appropriate technical and organizational measures and did not periodically test, evaluate and assess the effectiveness of the technical and organizational measures to guarantee the security of data processing, including the ability to ensure the confidentiality, integrity, availability and continuous resilience of the processing systems and services. This led to the unauthorized disclosure of or unauthorized access to personal data of a significant number of natural persons concerned, such as: name, surname, domicile, e-mail address and contact details, thus violating the provisions of art. 32 par. (1) let. b), d) and par. (2) of Regulation (EU) 2016/679. Legal and Communication Department A.N.S.P.D.C.P