On the 25th of February 2020, the National Supervisory Authority finalised an investigation at controller Enel Energie Muntenia SA and found that the controller infringed the provisions of Article 32 of the General Data Protection Regulation, with reference to the security of the processing.

The controller Enel Energie Muntenia SA was sanctioned with an administrative fine of 14,423.7. lei, the equivalent of 3,000 euros.

The violation of the security and confidentiality of personal data consisted in the fact that the controller Enel Energie Muntenia SA transmitted to the e-mail address of a client a natural person, the personal data (name and surname, address, e-mail address, client code, eneltel code) of another client.

The controller Enel Energie Muntenia SA was sanctioned because it did not implement adequate technical and organisational measures in order to ensure a level of security corresponding to the risk of the processing generated especially, accidentally or illegally, by the unauthorised disclosure or the unauthorised access to personal data.

The National Supervisory Authority carried out the investigation as a result of an intimation sent by a client of the controller, intimation which was accompanied by conclusive evidence regarding the aspects notified.

At the same time, a corrective measure was applied to the controller Enel Energie Muntenia SA, pursuant to the provisions of Article 58 paragraph (2) letter i) of the General Data Protection Regulation.

Thus, the controller was obliged to ensure compliance with the General Data Protection Regulation by implementing appropriate and efficient security measures, both technically and organisationally, within 30 working days of the communication the minutes of finding/sanctioning.

Legal and Communication Department

A.N.S.P.D.C.P.