The National Supervisory Authority finalized in December 2020 an investigation at the controller Apă Canal Ilfov SA and found the breach of the provisions of Article 32 paragraph (1) letter b), Article 32 paragraph (2) and Article 32 paragraph (4) of Regulation (EU) 2016/679.

Therefore, the controller was sanctioned with fine in amount of Lei 14,757.60 (the equivalent of EUR 3,000).

The investigation was started following a data security breach notification that was submitted by the controller Apa Canal Ilfov SA.

Within the investigation it was found that the breach of the data processing security took place following the fact that, in order to provide an electronic message to the users registered on the online portal of the company, the controller introduced by error the e-mail addresses within the section “To” instead of “BCC”.

Consequently, it resulted that this breach led to the unauthorized disclosure or unauthorized access to personal data (e-mail address), therefore, that a significant number of data subjects was affected.

It was found that the controller Apa Canal Ilfov SA did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of the processing.

Legal and Communication Department

A.N.S.P.D.C.P.