The National Supervisory Authority finalised in October 2021 an investigation at the controller Valoris Centre S.R.L. following which it found the breach of the provisions of Article 29, Article 32 paragraph (1) letters b) and d) and paragraph (4) of the General Data Protection Regulation.

Therefore, the controller was sanctioned with a fine in amount of Lei 9,898 (the equivalent of Eur 2,000).

The investigation was started following a personal data breach notification that was transmitted by a controller, based on the provisions of Article 33 of the General Data Protection Regulation.

According to those mentioned in the notification form, the breach of the personal data security took place as a result of the fact that a call centre employee of Valoris Center S.R.L. (processor) attached, by error, to a client of the controller, an excel document containing the data of the clients of that controller that have the Internet Banking service.

Within the performance of the investigation it was found that this breach resulted in the unauthorised disclosure or unauthorised access to certain personal data, such as the e-mail address, user name, user CNP, telephone number, client’s name, client’s code, client’s PIN, a number of 11169 data subjects being affected by the incident.

Considering these aspects, it was established that Valoris Center S.R.L., as processor, by reference to the provisions of Articles 29 and 32 of the General Data Protection Regulation, did not take appropriate measures to ensure that any natural person acting under its authority and which has access to personal data processes them solely at its request.

Legal and Communication Department

A.N.S.P.D.C.P