The National Supervisory Authority for Personal Data Processing, completed, in August 2025, an investigation at the controller Unita Turism Holding S.A. and found a violation of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 25,368 lei, the equivalent of 5,000 euros.

The investigation was initiated following the transmission by the controller Unita Turism Holding S.A. of a notification of a personal data breach, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

Thus, the controller notified the fact that, following a cyberattack, personal data belonging to current and former employees were disclosed and extracted in an unauthorized manner, namely: name and surname, position, place of residence, personal identification number, medical and financial-banking documents.

At the same time, during the investigation, it emerged that the controller had not implemented, at the time of the cyberattack, adequate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing, generated in particular, accidentally or unlawfully, by the destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed, including the ability to ensure the confidentiality, integrity, availability and continuous resilience of the processing systems and services.

This situation led to illegal access to personal data belonging to several data subjects, in violation of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679.

The controller paid the fine imposed.

Legal and Communication Department

A.N.S.P.D.C.P