The National Supervisory Authority for Personal Data Processing finalized an investigation at the controller VESTAS CEU ROMANIA SRL and found the breach of the provisions of Article 32 paragraph (1) letter b) and of Article 32 paragraphs (2) and (4) from the Regulation (EU) 2016/679.

Therefore, the controller was sanctioned with fine in amount of Lei 14,928 (the equivalent of EUR 3,000).

The investigation was started following the submission by the controller of a personal data breach notification notice according to Article 33 from Regulation (EU) 2016/679.

The breach of the data security took place following the unauthorized disclosure of personal data (name, domicile city, salary, CV (that contained, depending on case, photography, contact details, address, nationality, date of birth, gender, civil status, status regarding the military service, referrals to profiles on social networks, professional experience, education, technical abilities), as well as passport copies), for a significant number of employees, these data being accessed from internal level, repeatedly, and illegally disclosed to a third party.

Within the investigation it was found that the controller did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk presented by the processing, generated specifically by the unauthorized disclosure or unauthorized access to the personal data stored.

Also, based on Article 58 paragraph (2) letter d) from the GDPT, against the controller VESTAS CEU ROMÂNIA SRL also the corrective measure to implement a solution for the monitoring of the application of the working procedures implemented, in order to avoid some similar security incidents, was ordered.

Legal and Communication Department

A.N.S.P.D.C.P.