The National Supervisory Authority for Personal Data Processing has completed an investigation at the controller VESTAS CEU ROMÂNIA SRL and found a breach of Article 32 para. (1) lit. b) and Art. 32 para. (2) and para. (4) of Regulation (EU) 2016/679.
As such, the controller was fined 14,928 lei (equivalent to 3,000 EUR).
The investigation was initiated following the transmission by the controller of a personal data breach notification under Article 33 of Regulation (EU) 2016/679.
The data breach occurred as a result of the unauthorised disclosure of personal data (name, place of residence, salary, CV (containing, as the case may be: photo, contact details, address, nationality, date of birth, gender, marital status, military service status, referrals to social media profiles, professional experience, education, technical skills), as well as copies of passports) for a significant number of employees, this data being accessed internally, repeatedly, and illegally disclosed to a third party.
The investigation found that the controller did not implement adequate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing, in particular, arising from unauthorised disclosure or unauthorised access to stored personal data.
At the same time, pursuant to Article 58 para. (2) letter d) of the GDPR, the corrective measure of implementing a solution to monitor the application of the working procedures implemented was also ordered against the operator VESTAS CEU ROMÂNIA SRL, in order to avoid similar security incidents.
https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_26.02.2024&lang=ro