Banner2.png

ANSPDCP (Romania) - Webrasoft SRL

From GDPRhub
ANSPDCP - Webrasoft SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 04.03.2025
Published:
Fine: 99,518 RON
Parties: n/a
National Case Number/Name: Webrasoft SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO)
Initial Contributor: elu

The DPA fined an e-billing website RON 99,518 (€20,000) for failing to conduct regular security assessments in violation of Article 32 GDPR. This failure led to a cyberattack which allowed a third party to access personal data (e.g. bank account numbers).

English Summary

Facts

A data breach was notified to the DPA by an employee of the e-billing website Webrasoft SRL, the controller, as per Article 33 GDPR. The DPA deemed it appropriate to start an investigation.

The investigation revealed that the controller was victim of a cyberattack, and that the server on which the customer database was stored was illegally accessed.

The data illegally accessed included: name, surname, personal numeric code, home address, telephone, e-mail address and bank account number.

Moreover, the investigation revealed that the controller did not carry out the periodic testing, evaluation and evaluation of the effectiveness of technical and organizational measures to ensure the security of the processing.

Holding

The DPA found that the lack of testing impeded the effective respect of data protection principles and the integration of the necessary safeguards during the processing.

This impacted the ability to ensure confidentiality, integrity, availability and continuous resistance of the systems.

Thus, the DPA found a violation of Article 32(1)(b), (d) and (2) GDPR and deemed it appropriate to fine the controller RON 99,518 (€20,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details. 

04.03.2025

Sanction for violation of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in January 2025, an investigation at the operator WEBRASOFT SRL and found a violation of the provisions of art. 32 para. (1) letter b) and d) art. 32 para. (2) of Regulation (EU) 2016/679.

As such, the operator was sanctioned with a fine in the amount of 99,518.00 lei (equivalent to 20,000 EURO).

The investigation was initiated following a notification of a personal data security breach, in accordance with the provisions of art. 33 of Regulation (EU) 2016/679.

During the investigation, it was found that the operator who owned an online billing site was the victim of a cyber attack, through which the server on which the customer database was stored was illegally accessed.

At the same time, during the investigation, it emerged that the attacker had unauthorized access to the personal data held by the operator, which affected the confidentiality of the personal data of a large number of customers (surname, first name, personal identification number, home address, telephone number, e-mail address, bank account number).

As a result, it was found that WEBRASOFT SRL did not carry out periodic testing, evaluation and assessment of the effectiveness of technical and organizational measures to guarantee the security of processing, designed to effectively implement the data protection principles and integrate the necessary safeguards into the processing, to meet the requirements of Regulation (EU) 2016/679 and to protect the rights of data subjects, including the ability to ensure the confidentiality, integrity, availability and continued resilience of processing systems and services.

This situation led to unauthorized access by a third party to personal data held by the operator, thus violating the provisions of art. 32 para. (1) let. b) and d) and art. 32 para. (2) of the GDPR.

Pursuant to art. 58 para. (2) let. d) of Regulation (EU) 2016/679, the technical and organizational implementation of a logging system of all valid accesses/errors regarding unsuccessful access attempts on the servers in the operator's IT infrastructure was ordered, with their retention for a period of at least 30 days, including the back-up of the logging files (logs).

We note that the operator has paid the fine applied.

 

Legal and Communication Department

A.N.S.P.D.C.P
Retrieved from "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Webrasoft_SRL&oldid=46363"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki