In August 2024, the National Supervisory Authority for Personal Data Processing closed an investigation on Fundația Pro Economica (Pro Economica Foundation) – Pro Economica Alapítvány and found the violation of Article 32 (1)(b) and Article 32 (2) of the General Data Protection Regulation.

As such, the controller Fundația Pro Economica – Pro Economica Alapítvány was sanctioned with a fine in the amount of 4,976.70 RON (the equivalent of 1000 EUR).

The investigation was launched following a notification from the data controller on a personal data breach.

The data breach was the result of a cyberattack that deleted personal data from the server owned by the Foundation, thus affecting the availability of stored data.

The investigation found that the data controller had not implemented the appropriate technical and organisational measures to ensure a level a security suitable to the risk of processing, including the capacity to ensure the continuous confidentiality, integrity, availability and resilience of the processing systems and services, which led to the deletion of data stored on its own server and their unavailability for a certain period.

As such, the breach led to unauthorised access to personal data (i.e. name, surname, personal identity number, address, email, phone number, position, salary, indemnity, the amount of the grant, the goods purchased with the grant and the signature of the legal representative) of several data subjects.

At the same time, according to Article 58 (2)(d) of the General Data Protection Regulation, the controller Fundația Pro Economica – Pro Economica Alapítvány was also imposed the corrective measure to revise and update the technical and organisational measures for the security of personal data processed through the used IT infrastructure, in particular those concerning the log on to the data servers from outside the network.

Legal and Communication Department

A.N.S.P.D.C.P.