The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the operator FARMEC SA and found a violation of art. 25 para. (1) in conjunction with art. 32 para. (1) let. b), d) and para. (2) of Regulation (EU) 2016/679 .

As such , the operator was fined 24,854.50 lei (equivalent to 5,000 euros).

The investigation was initiated following the transmission by the controller FARMEC SA of a personal data breach notification, according to the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that, following a cyber attack, a database of users and administrators of the operator’s website was accessed, which led to the extraction of data from the aforementioned record system.

It was also found that the operator did not implement the necessary security measures at the time of the incident to prevent the attack and did not update its IT systems to the latest version allowed by licensing, to deal with new cyber threats.

This led to the unauthorized disclosure or unauthorized access to personal data of a significant number of natural persons concerned, such as: name, surname, e-mail address, encrypted password for user account access, thus violating the provisions of art. 25 para. (1) in conjunction with art. 32 para. (1) let. b), d) and para. (2) of Regulation (EU). 2016/679.

The operator paid the established misdemeanor fine.

https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_05_02_2025&lang=ro