The National Supervisory Authority for Personal Data Processing completed, in April 2025, an investigation at the controller CV PRO CONSULT S.R.L. and found the breach of Article 32 paragraphs (1) and (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine in the amount of 9,955 lei (the equivalent of 2,000 euros).

The investigation was initiated following the transmission by the controller CV PRO CONSULT S.R.L. of a notification of a personal data breach, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that, following a cyberattack, the controller’s access to its own IT infrastructure was accessed and at the same time restricted.

This situation led to the disclosure and unauthorized access to the personal data of a significant number of employees of the clients in the controller’s portfolio, namely: name, surname, personal identification number, domicile, position, salary, bonuses and other salary rights.

As such, it was found that the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing generated in particular by accidental or unlawful destruction, loss, modification, unauthorized disclosure and unauthorized access to personal data transmitted, stored and otherwise processed.

At the same time, pursuant to Article 58 paragraph (2) letter d) of the Regulation, the corrective measure of periodic verification of compliance with the implemented work procedures regarding the protection of personal data, as well as the periodic training of persons acting under its authority, including on the risks involved in the processing of personal data, was ordered against the controller.

The controller paid the established fine.

Legal and Communication Department

A.N.S.P.D.C.P