The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the controller FARMEC SA and found the breach of Article 25 paragraph (1) in conjunction with Article 32 paragraph (1) letters b) and d) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 24,854.50 lei (the equivalent of 5,000 euros).

The investigation was launched following the submission by the controller FARMEC SA of a data breach notification, pursuant to the provisions of Article 33 of Regulationa (EU) 2016/679.

During the investigation it was found that, following a cyberattack, a database of users and administrators of the controller’s website was accessed, which led to the extraction of data from the mentioned record system.

It was also found that the controller did not implement the necessary security measures at the time of the incident in order to prevent the attack and did not update its IT systems to the latest version permitted by the license to deal with new cyber threats.

This led to the unauthorised disclosure or access to personal data belonging to a significant number of data subjects, such as: name, surname, e-mail address, encrypted password for user account access, thus violating the provisions of Article 25 paragraph (1) in conjunction with Article 32 paragraph (1) letters b), d) and paragraph (2) of Regulation (EU) 2016/679.

The controller paid the established fine.

Legal and Communication Department

A.N.S.P.D.C.P