The National Supervisory Authority for Personal Data Processing, finalised, in September 2025, an investigation at the controller S.P.E.E.H. HIDROELECTRICA SA and found the infringement of the provisions of Article 32 paragraph (1) letters b) and d) and paragraph (4) of the Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 25,392 lei (the equivalent of 5,000 euros).

The investigation was initiated following the transmission by the controller S.P.E.E.H. HIDROELECTRICA SA of a notification regarding the breach of personal data security, according to the provisions of Article 33 of Regulation (EU) 2016/679.

According to the information mentioned in the notification form, a customer of the controller reported receiving an invoice for the supply of electricity that belonged to another person.

During the investigation, it was found that this incident occurred as a result of a technical error occurring within the IT system used by the controller through which invoices were transmitted to its customers, which led to the loss of control over the personal data of the data subject.

This breach led to the unauthorized disclosure of certain personal data of several data subjects (customers), namely: surname, first name, customer code, contract account code, address, contract number, contract date, contract termination date, billing period, due date, consumption place code, invoiced services, invoiced quantity, unit price in lei, value of services, measurement details, number of days of average consumption, total invoiced value, total payment for the current invoice.

As such, the provisions of Article 32 paragraph (1) letters b) and d) and paragraph (4) of Regulation (EU) 2016/679 were violated.

Legal and Communication Department

A.N.S.P.D.C.P