The National Supervisory Authority for Personal Data Processing completed, in June 2025, an investigation at the controller Selgros Cash & Carry SRL and found the breach of Article 32 paragraph (1) letters b), d) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 15,109.80 lei, the equivalent of 3,000 euros.

The investigation was initiated following the submission by Selgros Cash & Carry SRL of a personal data breach notification, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that, due to a programming or implementation error in an application, personal data belonging to several data subjects were disclosed.

As such, it was found that the controller did not implement adequate organizational measures to ensure an appropriate level of security, taking into account the risks presented by the processing for the rights and freedoms of the data subjects.

In this context, we specify that this situation led to the unauthorized disclosure or unauthorized access to the personal data of a significant number of individuals concerned, namely: name, surname, place of work, internal employee brand number, salary income, other salary and non-salary information, as well as other elements related to the performance of the individual employment contract.

At the same time, the controller did not carry out the testing, evaluation and periodic assessment of the effectiveness of the technical and organizational measures to guarantee the security of data processing, respectively the testing of the application.

The controller paid the established fine.

Legal and Communication Department

A.N.S.P.D.C.P