Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Romania: ANSPDCP fines Rompetrol Downstream €110,000 for repeated data breaches
The National Supervisory Authority for Personal Data Processing (ANSPDCP) announced, on November 13, 2023, its decision to impose a fine of €110,000 to Rompetrol Downstream SRL for violations of the General Data Protection Regulation (GDPR), following multiple security breach notifications.
Background to the decision
The investigation was initiated after Rompetrol Downstream notified the ANSPDCP of several security breaches affecting personal data, between July 20, 2021, and February 3, 2022, in accordance with Article 33 of the GDPR.
Findings of the ANSPDCP
The ANSPDCP found that personal data from Rompetrol Downstream's customers was repeatedly accessed on an internal level without authorization and illegally disclosed for the purpose of obtaining loans on behalf of the affected customers.
The personal data illegally disclosed included names and surnames, identity card numbers, personal numeric codes, addresses, places of birth, photos, as well as data contained in the salary certificates (date, signature, income, and seniority).
The ANSPDCP found that Rompetrol Downstream violated Articles 32(1)(b), 32(2), and 32(4) of the GDPR by failing to:
- implement adequate technical and organizational measures to ensure a level of security correspondent to the risk of processing; and
- take measures to prevent any natural person with access to personal data under its authority from processing the personal data without authorization.
Outcomes
In light of the above, the ANSPDCP imposed a fine of €110,000 on Rompetrol Downstream.
You can read the press release, only available in Romanian, here.