The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the controller Softtenica S.R.L. and found a violation of Article 32 paragraph (1) letters b), d) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 24,866 lei (the equivalent of 5,000 euros).

The investigation was started following the submission of a data breach notification by the controller Softtehnica S.R.L., in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

Within the investigation it was found that, following a Ransomware-type cyberattack, the controller’s IT infrastructure was accessed.

In this context, it was found that the controller did not implement adequate technical and organisational measures and did not carry out the periodic testing, evaluation and assessment of the effectiveness of technical and organisational measures in order to ensure the security of the data processing, including the ability to ensure the confidentiality, integrity, availability and continuous resistance of the processing systems and services.

This led to unauthorised disclosure or access of personal data of a significant number of data subjects, such as: name, surname, domicile, e-mail address and contact details, thus breaching the provisions of Article 32 paragraph (1) letters b), d) and paragraph (2) of Regulation (EU) 2016/679.

Legal and Communication Department

A.N.S.P.D.C.P