The National Supervisory Authority for Personal Data Processing completed, in February 2025, an investigation at the controller BEKO ROMÂNIA SA and found the breach of Article 32 paragraph (1) letters b) and d) and of Article 32 paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with fine of 49,766.00 lei (the equivalent of 10,000 euros).

The investigation was initiated following a notification of a personal data breach, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that an unauthorised person, who took advantage of a programming vulnerability, illegally accessed the controller’s website containing its customer database.

Thus, the person in question had access to the personal data of a large number of the controller’s customers, namely: name, surname, telephone number, e-mail address, domicile, product details.

As a result, it was found that BEKO ROMÂNIA SA did not implement adequate technical and organisational measures, neither when establishing the means of processing, nor during the processing itself.

It was also found that the controller did not carry out the testing, evaluation and periodic assessment of the effectiveness of the technical and organisational measures in order to ensure the security of the processing.

This situation led to unauthorised access by a third party to personal data, in violation of the provisions of Article 25 paragraph (1) in conjunction with Article 32 paragraph (1) letters b) and d) and Article 32 paragraph (2) of Regulation (EU) 2016/679.

Pursuant to Article 58 paragraph (2) letter d) of Regulation (EU) 2016/679, the controller was ordered the corrective measure to implement, from a technical and organisational perspective, a data volume analysis system in the IT infrastructure of BEKO ROMÂNIA SA, including performing back-ups on it.

We note that the controller paid the fine applied.

Legal and Communication Department

A.N.S.P.D.C.P