The National Supervisory Authority for Personal Data Processing closed an investigation on Your Consulting SRL data controller and found the violation of Article 25 (1), Article 32 (1)(a), (b) and (d) and Article 32 (2) of Regulation (EU) 2016/679.

As such, the controller Your Consulting SRL was sanctioned with a fine in the amount of 14,929.20 RON (the equivalent of 3,000 EUR).

The investigation was launched following a complaint that certain personal data were disclosed through the application of the controller https://your-scim.herokuapp.com.

During the investigation it was found that the controller had not implemented the appropriate technical and organisational measures when it decided on the means of processing or in the moment of the processing itself and that it had not carried out regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing

This led to unauthorised access to personal data (name and surname, personal identification number, the number of holiday vouchers nominally distributed, the total nominal value of holiday vouchers, date of return from parental leave) of several natural persons, during March-April 2024.

In this context, the data controller Your Consulting SRL was sanctioned with a fine for the violation of Article 25 (1), Article 32 (1)(a), (b) and (d) and Article 32 (2) of Regulation (EU) 2016/679.

At the same time, pursuant to Article 58 (2) of Regulation (EU) 2016/679, the controller was also imposed the corrective measure to implement a mechanism to periodically test, evaluate and assess the effectiveness of adopted measures, considering the risk of processing, in order to ensure an adequate security level and avoid similar security incidents in the future.

Legal and Communication Department

A.N.S.P.D.C.P.