Home » Comunicat_Presa_26_09_2023
 Română | English | Francais

26.09.2023

 

Sanction for the GDPR infringement

 

The National Supervisory Authority for Personal Data Processing finalized in September 2023 an investigation at the controller RESTART ENERGY ONE S.A. and found the breach of the provisions of Article 32 paragraph (1) letter b) and letter d), in conjunction with Article 32 paragraph (2) from Regulation (EU) 2016/679, as well as of Article 4 paragraph (5) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, amended and supplemented.

Therefore, the controller was sanctioned with:

  • fine in amount of Lei 124,150, the equivalent of EUR 25,000, for the breach of Article 32 paragraph (1) letters b) and d), corroborated with Article 32 paragraph (2) from Regulation (EU) 2016/679;
  • fine in amount of Lei 40,000 for the breach of Article 4 paragraph (5) of Law no. 506/679.

The investigation was started following an intimation regarding a potential breach of the personal data security on the website of the controller.

Within the investigation performed, the existence of a data security breach was found in the sense that a file from the controller’s website that contained personal data (first name, last name, address, telephone number, e-mail addresses, contract number and date of conclusion) for a number of at least 750 data subjects, was accessible to the public by accessing a link generated by the search engines for a period of approximately 2 and half years. 

Also, it was found that by accessing the website managed by the controller cookies modules that were not necessary from a technical point of view were installed on the device of the user, before the giving of the consent by pressing the Accept button, and the expressing of the disagreement by pressing the Refuse button in relation to the installment of these cookies modules had no influence on them, the latter remaining installed under the initial form, for a certain period of time, on the user’s device.

In addition to the fine sanctions, the National Supervisory Authority for Personal Data Processing also applied corrective measures, ordering to the controller to implement a procedure plan that would include a testing, evaluation and periodical assesment process of all the systems and their subsequent amendments performed by the controller or by the services providers (processors), specifically on the website managed by the controller.

 

Legal and Communication Department

A.N.S.P.D.C.P.