ANSPDCP (Romania) - 06.03.2023

From GDPRhub
ANSPDCP - 06.03.2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32 GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 06.03.2023
Fine: 3,000 EUR
Parties: Finopro IFN
Integral Collection
National Case Number/Name: 06.03.2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: ls

The Romanian DPA fined two companies who suffered ransomware attacks followed by data breaches for not ensuring a sufficient level of security.

English Summary[edit | edit source]

Facts[edit | edit source]

Two companies: Finopro IFN and Integral Collection were victims of ransomware attacks. This implied that data they possessed (from ID cards, phone numbers, account statements...) were accessed without authorization and their security was compromised. The companies notified the breaches to the DPA, which then opened two investigations.

Holding[edit | edit source]

The DPA found that both companies had violated Article 32(1)b and c and 32(2) GDPR because they had not implemented adequate technical and organizational measures to ensure a sufficient level of security. In accordance with Article 83 GDPR, the DPA therefore imposed a fine of lei11,023.42 (approximately €2,250) on Finopro IFN and lei14,697.90 (approximately €3,000) on Integral Collection.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

06.03.2023

Sanctions for GDPR violations

In February of the current year, the National Supervisory Authority completed two investigations at the operators of Finopro IFN SA and Integral Collection SRL and found a violation of the provisions of art. 32 para. (1) lit. b) and c) and para. (2) of the General Data Protection Regulation (RGPD).

As such, the operators were sanctioned as follows:

Finopro IFN SA with a fine of 11,023.42 lei, the equivalent of 2,250 EURO; Integral Collection SRL with a fine of 14,697.90 lei, the equivalent of 3,000 EURO.

The investigations were started as a result of the transmission by the operators of some notifications of breaches of the security of personal data under the RGPD.

During the investigations carried out, it was found that the breach of data processing security occurred as a result of ransomware attacks, a situation that significantly led to unauthorized access and the loss of the integrity and availability of personal data (such as identification data, data from identity cards, addresses, telephone numbers, account statements).

As such, taking into account the measures announced by these operators to remedy the situation, in relation to the criteria for individualizing the sanctions provided for in art. 83 of the RGPD, the penalty for violating the provisions of art. 32 para. (1) lit. b) and c) and para. (2) of the GDPR, as they have not implemented adequate technical and organizational measures to ensure a level of security appropriate to the processing risk, including the ability to ensure the confidentiality, integrity, availability and continued resilience of the processing systems and services.



Legal and Communication Department

A.N.S.P.D.C.P.