The National Supervisory Authority for Personal Data Processing closed an investigation on Ana Hotels SRL data controller and found the violation of Article 32 (1) (b) and (d) in conjunction with Article 32 (2) of the General Data Protection Regulation (GDPR).

As such, the controller was sanctioned with a fine in the amount of 39,763.20 RON (the equivalent of 8,000 EUR).

The investigation was launched following a notification from the data controller on a personal data breach, as provided by the GDPR.

The investigation had found that the personal data breach was the result of a ransomware attack, which led to the unauthorised disclosure of personal data processed and stored by information systems of Ana Hotels SRL, belonging to a significant number of data subjects, employees of the data controller.

As a result, according to the criteria for individualising the sanctions provided for in Article 83 of the GDPR, the data controller was sanctioned with a fine for the violation of Article 32 (1) (b) and (d) in conjunction with Article 32 (2) of the GDPR, given that it had not implemented the appropriate technical and organisational measures to ensure a level a security suitable to the risk of processing, including the capacity to ensure the confidentiality of the processing systems and services.

At the same time, the data controller was also imposed the corrective measure to implement a procedural plan which includes a periodic testing, evaluation and assessment process of all IT systems of the controller through which personal data are processed, in order to guarantee the security of the processing, including continuous logs in terms of both access and data traffic on the servers of the IT infrastructure of the controller Ana Hotels SRL for at least 30 calendar days, including the application of a backup process on it for a similar period of time.

Legal and Communication Department

A.N.S.P.D.C.P.