In July of this year, the National Supervisory Authority completed an investigation at the operator Ana Hotels SRL and found a violation of the provisions of art. 32 para. (1) lit. b) and d) in conjunction with art. 32 para. (2) of the General Data Protection Regulation (RGPD).

As such, the operator was fined 39,763.20 lei, equivalent to 8,000 EURO.

The investigation was initiated following the submission by the operator of a personal data breach notification under the GDPR.

During the investigation, it was found that the breach of data processing security occurred as a result of a ransomware-type computer attack, a situation that led to the unauthorized disclosure of personal data processed and stored through the computer systems of Ana Hotels SRL, for a significant number of data subjects, employees of the operator.

As such, in relation to the criteria for individualizing the sanctions provided for by art. 83 of the RGPD, the penalty for violating the provisions of art. 32 para. (1) lit. b) and d) in conjunction with art. 32 para. (2) of the GDPR, as the operator has not implemented adequate technical and organizational measures to ensure a level of security corresponding to the processing risk, including the ability to ensure the confidentiality of processing systems and services.

At the same time, the operator was also ordered to take the corrective measure of implementing a procedural plan that includes a process of periodic testing, evaluation and assessment of all IT systems of the operator through which personal data is processed, in order to guarantee the security of the processing , which also includes continuous journaling in terms of both access and data traffic on the servers of the IT infrastructure of the operator Ana Hotels SRL for at least 30 calendar days, including the application of a backup process on it over a period of time similar.

https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_20.08.2024&lang=ro