The National Supervisory Authority for Personal Data Processing completed an investigation at the controller Maravet S.R.L. and found the breach of Article 32 paragraph (4) in conjunction with Article 32 paragraph (1) letters b) and d) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine in the amount of 24,885.50 lei, the equivalent of 5,000 euros.

The investigation was initiated following the transmission by the controller Maravet S.R.L. of a notification of a personal data breach, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

Thus, the controller notified the fact that a former employee of the company had copied and disclosed in an unauthorized manner information containing personal data from the controller’s database and posted it on a website.

During the investigation, it was found that he had posted on the website of his new employer, for a certain period of time, personal data belonging to a significant number of data subjects.

This situation led to the unauthorized disclosure of personal data, namely: names, telephone numbers, e-mail addresses, home addresses, personal identification number, numbers and series of identity cards or passports, employment documents, employee salaries, professional evaluations of employees, photographs of employees and customers.

Thus, it was found that the controller did not take measures to ensure that any natural person acting under its authority and having access to personal data only processes them at the request of the controller and did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, including the ability to ensure the confidentiality and integrity of the processing systems and services.

The controller paid the established fine.

Legal and Communication Department

A.N.S.P.D.C.P