The National Supervisory Authority for Personal Data Processing, completed, in November 2025, an investigation at the controller Greencorp S.R.L. and found a violation of the provisions of Article 32 paragraph (1) letters b) and d) in conjunction with Article 32 paragraph (2) of Regulation (EU) 2016/679.

The controller was sanctioned with a fine in the amount of 15,258 lei, the equivalent of 3,000 euros.

The investigation was initiated following the transmission by the controller Greencorp S.R.L. of a notification regarding the breach of personal data security, according to the provisions of Article 33 of Regulation (EU) 2016/679.

The controller notified the fact that, following a cyberattack, the encryption of the database held was generated, access to it was restricted and the functioning of its computer system was prevented.

Thus, the following categories of personal data of employees were affected: name, surname, date of birth, personal identification number, number of children, personal identification number of children, studies, nationality, religion, series, ID card/ID card number, validity data, contact data (home address, floating address, as applicable, telephone number, personal e-mail address, contact data from a person who can be contacted in case of emergency, employment contract data, financial data of employees, respectively data regarding salaries received, changes in position, salary, termination of employment contracts, dependents (with the personal identification number for them), time sheets, sick leaves, pay slips, as well as bank data, respectively their bank accounts.

The investigation found that the controller did not have security measures in place with specific and relevant requirements to prevent a cyberattack such as the one that allowed the attacker to access its entire database and encrypt its IT infrastructure.

Therefore, it was found that the controller did not implement appropriate technical and organizational measures and did not carry out periodic testing, evaluation and assessment of the effectiveness of the technical and organizational measures to ensure the security of the processing, designed to effectively implement the data protection principles and integrate the necessary safeguards into the processing, to meet the requirements of the GDPR and to protect the rights of data subjects, including the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services, which led to the unauthorized disclosure of or unauthorized access to the personal data of a significant number of data subjects.

At the same time, the National Supervisory Authority also imposed the corrective measure by which it was ordered the controller to ensure compliance with the provisions of Article 32 of Regulation (EU) 2016/679, in terms of implementing appropriate technical and organizational measures in order to ensure a level of security appropriate to the risk of processing, including by implementing multi-factor authentication for all user/administrator accounts that can connect remotely to the IT infrastructure of Greencorp S.R.L., respectively the technical and organizational implementation of a complexity policy for the passwords used for these accounts.

Legal and Communication Department

A.N.S.P.D.C.P