Home » Comunicat_Presa_26_09_2023
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

26.09.2023

 

Sanction for the GDPR infringement

 

The National Supervisory Authority for Personal Data Processing finalized in September 2023 an investigation at the controller RESTART ENERGY ONE S.A. and found the breach of the provisions of Article 32 paragraph (1) letter b) and letter d), in conjunction with Article 32 paragraph (2) from Regulation (EU) 2016/679, as well as of Article 4 paragraph (5) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, amended and supplemented.

Therefore, the controller was sanctioned with:

  • fine in amount of Lei 124,150, the equivalent of EUR 25,000, for the breach of Article 32 paragraph (1) letters b) and d), corroborated with Article 32 paragraph (2) from Regulation (EU) 2016/679;
  • fine in amount of Lei 40,000 for the breach of Article 4 paragraph (5) of Law no. 506/679.

The investigation was started following an intimation regarding a potential breach of the personal data security on the website of the controller.

Within the investigation performed, the existence of a data security breach was found in the sense that a file from the controller’s website that contained personal data (first name, last name, address, telephone number, e-mail addresses, contract number and date of conclusion) for a number of at least 750 data subjects, was accessible to the public by accessing a link generated by the search engines for a period of approximately 2 and half years. 

Also, it was found that by accessing the website managed by the controller cookies modules that were not necessary from a technical point of view were installed on the device of the user, before the giving of the consent by pressing the Accept button, and the expressing of the disagreement by pressing the Refuse button in relation to the installment of these cookies modules had no influence on them, the latter remaining installed under the initial form, for a certain period of time, on the user’s device.

In addition to the fine sanctions, the National Supervisory Authority for Personal Data Processing also applied corrective measures, ordering to the controller to implement a procedure plan that would include a testing, evaluation and periodical assesment process of all the systems and their subsequent amendments performed by the controller or by the services providers (processors), specifically on the website managed by the controller.

 

Legal and Communication Department

A.N.S.P.D.C.P.