The National the National Supervisory Authority for Personal Data Processing closed an investigation on the VESTAS CEU ROMÂNIA SRL data controller, and found the violation of Article 32 (1) (b) and (d), and Article 32 (2) and (4) of Regulation (EU) 2016/679.

Therefore, the data controller was sanctioned with a fine in the amount of 14,928 RON, the equivalent of 3,000 EUR.

The investigation was launched following a notification from the data controller on a personal data breach according to the GDPR, submitted according to Article 33 of Regulation (EU) 2016/679.

The data breach resulted following the unauthorised disclosure of personal data [name, place of living, salary, CV (containing, depending on the case: photo, contact details, address, nationality, date of birth, gender, marital status, status on military service, links to profiles on social media, professional experience, education, technical skills), as well as copies of passports] of a significant number of employees, the data being accessed at the internal level, on many occasions, and illegally disclosed to a third party.

The investigation found that the controller had not implemented the appropriate technical and organisational measures to ensure a level of security suitable to the risk of processing, especially caused by the unauthorised disclosure or unauthorised access to stored personal data.

At the same time, according to Article 58 (2) (d) of the GDPR, VESTAS CEU ROMÂNIA SRL was also imposed the corrective measure to implement a solution for the monitoring of implemented work procedures, in order to avoid similar security incidents.

Legal and Communication Department

A.N.S.P.D.C.P.