In August 2024, the National Supervisory Authority for Personal Data Processing closed an investigation at Constanța South Container Terminal SRL data controller and found the violation of Article 32 (1)(b) and Article 32 (2) of the General Data Protection Regulation.

As such, the controller Constanța South Container Terminal SRL was sanctioned with an administrative fine in the amount of 14,929.5 RON (the equivalent of 3000 EUR).

The investigation was launched following a notification on a personal data breach, as provided by Article 33 of the General Data Protection Regulation, which was sent by the data controller.

The data breach consisted in the unauthorised access by a third party to personal data (i.e. full name, date of birth, addresses, home phone numbers and personal emails) of its employees in Romania (data subjects) stored on a file management platform used by the controller and which was publicly available on the internet, without having adequate security measures in place.

The investigation found that the data controller had not implemented the appropriate technical and organisational measures to ensure a level a security suitable to the risk of processing, including the capacity to ensure confidentiality, although the controller was required to continuously ensure the security of data processing for its employees, according to Article 32 of the General Data Protection Regulation.

At the same time, the controller was also imposed the corrective measure to revise and update the technical and organisational measures for the security of personal data processed through the used IT infrastructure, in particular those concerning the log on to the data servers from outside the network.

Legal and Communication Department

A.N.S.P.D.C.P.