The National Supervisory Authority finalized in May current year an investigation at the controller Farmacia Ardealul SRL within which it found the breach of the provisions of Article 32 paragraph (1) letters b) and d) and paragraph (2) from the General Data Protection Regulation.

Therefore, the controller Farmacia Ardealul SRL was sanctioned with fine in amount of Lei 12,424, the equivalent of EUR 2,500.

The investigation was started following the submission by the controller of a personal data security breach notification based on the General Data Protection Regulation.

Within the investigation performed it was found that the breach of the data processing security took place through the unauthorized installing of a malware program on the website of the controller.

This situation led to the breach of the personal data confidentiality (banking data) of a significant number of clients following the unauthorized instalment of a fictive form for the collection of the banking data on the website of the controller.

Thus, the controller Farmacia Ardealul SRL was sanctioned with fine for the breach of the provisions of Article 32 paragraph (1) letters b), d0 and paragraph (2) from the General Data Protection Regulation given that it did not implement adequate technical and organizational measures to ensure a level of security corresponding to the risk presented by the processing.

Also, the corrective measure to implement a plan that includes a periodical testing, scanning, evaluation and assessment mechanism of the security of all IT systems of the controller, including on its website, was ordered.

Legal and Communication Department

A.N.S.P.D.C.P.