Banner1.jpg

ANSPDCP (Romania) - Softehnica S.R.L

From GDPRhub
ANSPDCP - Softehnica S.R.L
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(2) GDPR
Article 32(3) GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 23.01.2025
Fine: 24,866 RON
Parties: Softehnica S.R.L
National Case Number/Name: Softehnica S.R.L
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO)
Initial Contributor: elu

The DPA fined an IT company RON 24,866 (€5,000) as the lack of appropriate technical and organisational measures enabled a ransomware attack, resulting in the unlawful disclosure of data subjects’ names, home addresses, e-mail addresses and contact details.

English Summary

Facts

The DPA started an investigation against the IT company Softehnica S.R.L, the controller, after a data breach was notified pursuant to Article 33 GDPR.

The investigation by the DPA revealed that the controller´s IT infrastructure was accessed as a result of a ransomware attack.

Holding

The DPA considered that the ransomware attacked happened due to the lack of technical and organisational measures. Moreover, the controller did not implement regular testing, evaluation and assessment of the effectiveness of technical and organisational measures already in place. This entailed that both the security of data processing, including the ability to ensure the confidentiality, integrity, availability and continuous resilience of the processing systems and services could not be assured.

As a consequence of this failures, name, surname, home address, e-mail address and contact details of data subjects were disclosed unlawfully, in breach of Article 32(2) and 32 (3) GDPR.

The DPA deemed it appropriate to impose a fine of RON 24,866 (€5,000) to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

23.01.2025

Sanction for violation of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the operator Softehnica S.R.L and found a violation of art. 32 par. (1) letter. b), d) and par. (2) of Regulation (EU) 2016/679.

As such, the operator was sanctioned with a fine in the amount of 24,866 lei (equivalent to the amount of 5000 Euros).

The investigation was initiated following the transmission by the operator Softehnica S.R.L of a notification of a personal data security breach, according to the provisions of art. 33 of Regulation (EU) 2016/679.

The investigation found that, following a Ransomware-type cyber attack, the operator's IT infrastructure was accessed.

In this context, it was found that the operator did not implement appropriate technical and organizational measures and did not periodically test, evaluate and assess the effectiveness of the technical and organizational measures to guarantee the security of data processing, including the ability to ensure the confidentiality, integrity, availability and continuous resilience of the processing systems and services.

This led to the unauthorized disclosure of or unauthorized access to personal data of a significant number of natural persons concerned, such as: name, surname, domicile, e-mail address and contact details, thus violating the provisions of art. 32 par. (1) let. b), d) and par. (2) of Regulation (EU) 2016/679.  

 

Legal and Communication Department

A.N.S.P.D.C.P