The National Supervisory Authority finalised an investigation to the controller DADA CREATION S.R.L. and found that the dispositions of Article 32 paragraphs (1) and (2) and of Article 33 paragraph (1) of the General Data Protection Regulation were infringed.

The controller DADA CREATION S.R.L. was sanctioned as follows:

fine of 24,272.50 lei, the equivalent of 5,000 euros, for the infringement of the provisions of Article 32 paragraphs (1) and (2) of the General Data Protection Regulaiton;
reprimand for the infringement of Article 33 paragraph (1) of the General Data Protection Regulation.

The investigation was launched following a complaint alleging that a document on detailed records of transactions received by this site from its customers (individuals) containing e-mail addresses, numbers telephone number, name and surname of customers (adults and children), age of minors, delivery addresses, order number, total order amount, products ordered and date of order was available through the controller’s website.

The data security breach consisted in the fact that DADA CREATION S.R.L. did not implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of processing, which led to the disclosure and unauthorised access to personal data of a number of approximately 1091 individuals who had placed orders on the controller’s website .

Also, the controller was sanctioned with a reprimand because it did not notify the Supervisory Authority about the data breach (which was brought to its attention by our institution), according to Article 33 of the General Data Protection Regulation.

At the same time, a corrective measure was applied to review and update the technical and organisational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, so as to avoid similar incidents of unauthorized disclosure of personal data processed.

Legal and communication Department

A.N.S.P.D.C.P.