Home » Comunicat_Presa_18.11.2024
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

18.11.2024

Sanction for non-compliance with the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in October 2024, an investigation at the controller Altex România S.A. and found the infringement of Article 32 paragraph (1) letter b) and of Article 32 paragraph (2) of Regulation (EU) 2016/679 (GDPR).

As such, the controller was sanctioned with a fine of 99,516 lei, the equivalent of 20,000 euros.

The investigation was started following the submission of two personal data breach notifications by Altex România S.A. to the National Supervisory Authority, as follows:

  1. the controller was informed by e-mail by a third party about the fact that some accounts of the controller’s customers were published on a platform, the personal data of a very large number of data subjects being affected, respectively: name, first, name, e-mail, altex.ro account password, information available in the customer account, such as delivery address, telephone number, order history, data related to the cards with which the online payment is made, communications in the relationship with the controller;
  2. the controller found that it was the victim of a “credential stuffing” type computer attack, through repeated attempts to validate passwords on some customer account for placing gift cards orders; it was mentioned that the following personal data were affected, for significant number of data subjects: identification data for logging into the customer account: name, surname, e-mail address, customer account access password, financial data related to the registered bank cards in the app/website.

During the investigation, it was found that the controller Altex România S.A. did not implement adequate technical and organisational measures in order to ensure a level of security corresponding to the risk presented by the processing, in order to prevent the illegal access to the accounts of the controller’s customers. This led to the unauthorized access to the personal data of a very large number of controller’s customers by means of two distinct computer attacks involving the taking over of some accounts.

At the same time, pursuant to Article 58 paragraph (2) of Regulation (EU) 2016/679, the following corrective measures were ordered:

  • the technical and procedural implementation of the following measures to reduce the risk of breaching the confidentiality of personal data through a computer attack on authentication platforms in customers’ accounts on all the managed e-commerce websites/apps: new device login notification, display of logged in devices in the account, complexity policy and password history on all customer accounts with a preset expiration interval;
  • the technical and procedural implementation of a system for monitoring the incoming and outgoing Internet traffic (inbound/outbound) executed on authentication platforms in customer accounts on all managed e-commerce websites/apps.

 

Legal and Communication Department

A.N.S.P.D.C.P