Home » Comunicat_Presa_21_09_2022
 Română | English | Francais

21.09.2022

Sanction for the breach of GDPR

 

The National Supervisory Authority finalized during August 2022 an investigation at the controller Curtea Veche Publishing SRL and found the breach of the provisions of Article 32 paragraph (1) letters b) and c) and paragraph (2) of the General Data Protection Regulation.

The controller was sanctioned with fine in amount of Lei 24,566 (the equivalent of EUR 5,000).

The investigation was started following the submission by the controller of some personal data security breach notifications based on the General Data Protection Regulation.

One of the data security breaches took place following the posting on a public forum of a file that contained the controller’s clients’ database from the period 2019-2021.

This situation led to the unauthorized disclosure of certain personal data such as first name, last name, telephone number, e-mail, crypted password, IP address from which the user account was created, of a number of 10,739 clients of the controller.

The second breach of the data security took place following a ransomware attack, situation that led to the unauthorized access and loss of the integrity and availability of certain personal data of approx. 100 data subjects (employees and collaborators of Curtea Veche Publishing SRL).

Within the investigation, the National Supervisory Authority found that the controller did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk for the rights and freedoms of the natural persons.

Therefore, the controller Curtea Veche Publishing SRL was sanctioned with fine in amount of Lei 24,566 (the equivalent of EUR 5,000) for the breach of the provisions of Article 32 paragraph (1) letters b) and c) and paragraph (2) of the General Data Protection Regulation.

Also, the corrective measure to review and update the technical and organizational measures implemented was applied following the evaluation regarding the risk for the rights and freedoms of the persons and of the work procedures regarding the personal data protection, inclusively through the implementation of some additional informational solutions for data security.

 

Legal and Communication Department

A.N.S.P.D.C.P.