Home » Comunicat_Presa_28_11_2024
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

28.11.2024

Sanction for the breach of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in October 2024, an investigation at the controller Rompetrol Downstream SRL and found the infringement of Article 32 paragraph (1) letter b) and paragraph (2) in conjunction with Article 83 paragraph (4) letter a) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 19,893.20 lei, the equivalent of 4,000 euros.

The investigation was launched following the submission of a personal data breach notification by the controller Rompetrol Downstream SRL, pursuant to the obligation based on Article 33 of Regulation (EU) 2016/679.

Thus, several natural persons have been reported to have received unauthorized e-mails with malicious “phishing” content.

At the same time, within the same incident, personal data belonging to some data subjects, such as: e-mail address, name and surname contained in the name of the e-mail, name, surname and signatures, which were in the files belonging to the controller, were downloaded and access illegally.

During the investigation, it was found that the e-mail address of the controller intended for correspondence in the relationship with customers, administered and used exclusively by a legal entity processor of the controller, had a password known to several of its employees, which allowed an unauthorized access to the e-mail address in question, thus infringing the confidentiality of the data.

It was also found that the controller did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of the personal data processing, including the ability to ensure the confidentiality.

As such, Rompetrol Downstream SRL was fined for infringing the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679.

At the same time, the corrective measure of establishing an inspection/audit plan within its processor, to take measures in order to correct the identified deficiencies, so as to avoid similar security incidents, was ordered against the controller.

 

Legal and Communication Department

A.N.S.P.D.C.P