The National Supervisory Authority for Personal Data Processing, completed, in October 2025, an investigation at the controller PGS SOFA & CO SRL and found a violation of the provisions of Article 32 paragraph (1) letters b) and d) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine in the amount of 40,663 lei, the equivalent to 8,000 euros.

The investigation was initiated following the transmission by the controller PGS SOFA & CO S.R.L of a notification of a personal data breach, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that, following a cyberattack, the controller’s access to its own IT infrastructure was accessed and at the same time restricted.

This situation led to unauthorized access to the personal data of a significant number of employees, customers and collaborators of the controller, namely identification data, salary, bank accounts of employees and bank accounts of customers and collaborators.

As such, it was found that the controller did not implement appropriate technical and organizational measures and did not carry out periodic testing, evaluation and assessment of the effectiveness of technical and organizational measures to guarantee the security of the processing.

At the same time, pursuant to Article 58 paragraph (2) letter d) of the Regulation, the corrective measure to ensure compliance with the provisions of Article 32 of the GDPR was ordered against the controller, in terms of implementing appropriate technical and organizational measures in order to ensure a level of security appropriate to the risk of the processing, including by implementing multi-factor authentication for all user/administrator accounts that can connect remotely to the controller’s IT infrastructure, as well as implementing a password complexity policy used for these accounts.

Legal and Communication Department

A.N.S.P.D.C.P