Home » Comunicat_Presa_04_03_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

04.03.2025

Sanction for the breach of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in January 2025, an investigation at the controller WEBRASOFT SRL and found the breach of Article 32 paragraph (1) letters b) and d) and of Article 32 paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with fine of 99,518.00 lei (the equivalent of 20,000 euros).

The investigation was initiated following a notification of a personal data breach, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that the controller who owned an online billing website was the victim of a cyberattack, through which the server on which the customer database was stored was illegally accessed.

At the same time, during the investigation, it emerged that the attacker had unauthorized access to personal data held by the controller, which affected the confidentiality of the personal data of a large number of customers (surname, first name, personal identification number, home address, telephone number, e-mail address, bank account number).

As a result, it was found that WEBRASOFT SRL did not carry out periodic testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing, designed to effectively implement the data protection principles and integrate the necessary safeguards into the processing, to meet the requirements of Regulation (EU) 2016/679 and to protect the rights of data subjects, including the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

This situation led to unauthorized access by a third party to personal data held by the controller, thus violating the provisions of Article 32 paragraph (1) letters b) and d) and of Article 32 paragraph (2) of the GDPR.

Pursuant to Article 58 paragraph (2) letter d) of Regulation (EU) 2016/679, the technical and organizational implementation of a logging system of all valid accesses/errors regarding unsuccessful access attempts on the servers in the controller’s IT infrastructure was ordered, with their retention for a period of at least 30 days, including the back-up of the logging files (logs).

We note that the controller paid the fine applied.

 

Legal and Communication Department

A.N.S.P.D.C.P