In February current year, the National Supervisory Authority finalized two investigations at the controllers Finopro IFN SA and Integral Collection SRL and found the breach of the provisions of Article 32 paragraph (1) letters b) and c) and paragraph (2) of the General Data Protection Regulation (GDPR).

Therefore, the controllers were sanctioned as it follows:

Finopro IFN SA with fine in amount of Lei 11,023.42 lei, the equivalent of EUR 2,250;
Integral Collection SRL with fine in amount of Lei 14,697.90, the equivalent of EUR 3,000.

The investigations were started following the submission by the controller of some notifications regarding personal data breaches based on the GDPR.

Within the investigations performed, it was found that the breach of the data processing security took place following several ransomware type attacks, situation that significantly led to the unauthorized access and loss of the personal data integrity and availability (such as identification data, data from the identity cards, addresses, telephone numbers, account excerpts).

Therefore, considering also the measures announced by these controllers for the remedy of the situation, by reference to the criteria for determining the sanctions provided under Article 83 of the GDPR, the sanction with fine was established for the breach of the provisions of Article 32 paragraph (1) letters b) and c) and paragraph (2) of the GDPR, given that they did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk, including the capacity to ensure the confidentiality, integrity, availability and continuous resistance of the processing systems and services.

Legal and Communication Department

A.N.S.P.D.C.P.