In October this year, the National Supervisory Authority completed an investigation into the operator Mensajero SRL, in which it found a breach of Article 32(2) of the GDPR. (1) (b) and (d) in conjunction with Art. 32 para. (2) of the General Data Protection Regulation.

As such, the controller was fined 14,925.6 lei, equivalent to 3,000 EURO.

The sanction was imposed following a complaint alleging a possible personal data breach on the website of the operator Mensajero SRL.

During the investigation, it was found that the data processing breach occurred by accessing a link displaying a list of numerous downloadable files containing, for the most part, invoices and guarantee certificates for products purchased by the operator’s customers.

This led to the unauthorised disclosure of personal data of the controller’s customers (natural and legal persons), such as: name, surname, address, e-mail address, invoice number and date, products purchased and their value.

Thus, the operator Mensajero SRL was fined for violation of Article 32 para. (1) (b) and (d) in conjunction with Art. 32 para. (2) of the General Data Protection Regulation, as it did not implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of processing.

https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_24_10_2023&lang=ro