Home » Comunicat_Presa_23.07.2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

23.07.2025

Sanction for violating the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in June 2025, an investigation at the controller Agricola International SA and found the infringement of Article 32 paragraph (1) letters b) and d) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 25,226.50 lei (the equivalent of 5,000 euros).

The investigation was initiated following the transmission by the controller Agricola International S.A of a notification regarding the breach of personal data security, according to the provisions of Article 33 of Regulation (EU) 2016/679.

Thus, the controller notified that, following a cyberattack, a series of categories of personal data of a significant number of employees, their family members and clients were affected, such as: photo of the identity document, name, surname, father’s initial, date of birth, age, gender, personal identification number, trademark number, location, position, job, department, type of employment, employee status, spouse’s date of birth, company, date of employment, mobile phone number, fax number, e-mail address, parents’ surnames and surnames and telephone number, employee’s address, marital status, spouse’s surname and surname, spouse’s personal identification number, personal documents such as: identity card, work card, aptitude sheet, study details, professional certificates, work card history, bank account, courses, salary payment records, leave records, health insurance records, payment parameters, disability records, bonus records, postal address).

At the same time, during the investigation, it emerged that the controller had not implemented, at the time of the cyberattack, security measures with specific requirements regarding secure access to network storage equipment that would mitigate the risk of unauthorized access to the aforementioned personal data.

As a result, it was found that Agricola International SA had not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including the ability to ensure the confidentiality of processing systems and services and a process for periodic testing, evaluation and assessment of the effectiveness of technical and organizational measures.

This situation led to the unauthorized disclosure or unauthorized access by a third party to personal data held by the controller, thus violating the provisions of Article 32 paragraph (1) letters b) and d) and paragraph (2) of Regulation (EU) 2016/679.

Pursuant to Article 58 paragraph (2) letter d) of Regulation (EU) 2016/679, the corrective measure of implementing appropriate technical and organizational measures, including by installing operating systems with active support from the manufacturer, complete and updated antivirus solutions on all IT equipment in the operator's network (servers, work devices), respectively securing external access, as appropriate, to the operator's infrastructure equipment (VPN, MFA, IP restriction) was also ordered.

We note that the controller paid the fine imposed.

 

Legal and Communication Department

A.N.S.P.D.C.P