04.03.2025
Sanction for the breach of the GDPR
The National Supervisory Authority for Personal Data Processing completed, in January 2025, an investigation at the controller WEBRASOFT SRL and found the breach of Article 32 paragraph (1) letters b) and d) and of Article 32 paragraph (2) of Regulation (EU) 2016/679.
As such, the controller was sanctioned with fine of 99,518.00 lei (the equivalent of 20,000 euros).
The investigation was initiated following a notification of a personal data breach, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.
During the investigation, it was found that the controller who owned an online billing website was the victim of a cyberattack, through which the server on which the customer database was stored was illegally accessed.
At the same time, during the investigation, it emerged that the attacker had unauthorized access to personal data held by the controller, which affected the confidentiality of the personal data of a large number of customers (surname, first name, personal identification number, home address, telephone number, e-mail address, bank account number).
As a result, it was found that WEBRASOFT SRL did not carry out periodic testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing, designed to effectively implement the data protection principles and integrate the necessary safeguards into the processing, to meet the requirements of Regulation (EU) 2016/679 and to protect the rights of data subjects, including the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
This situation led to unauthorized access by a third party to personal data held by the controller, thus violating the provisions of Article 32 paragraph (1) letters b) and d) and of Article 32 paragraph (2) of the GDPR.
Pursuant to Article 58 paragraph (2) letter d) of Regulation (EU) 2016/679, the technical and organizational implementation of a logging system of all valid accesses/errors regarding unsuccessful access attempts on the servers in the controller’s IT infrastructure was ordered, with their retention for a period of at least 30 days, including the back-up of the logging files (logs).
We note that the controller paid the fine applied.
Legal and Communication Department
A.N.S.P.D.C.P