Incident background: data breach notification under Article 33 GDPR
The investigation was initiated after CV PRO CONSULT S.R.L. submitted a data breach notification, as required by Article 33 GDPR. The operator reported a cyberattack that compromised its internal IT infrastructure, leading to:
- unauthorized access to company systems
- restricted access to its own data
- exposure of sensitive personal data belonging to employees of client organizations
Personal data exposed during the breach
The cyberattack resulted in unauthorized access to a significant volume of personal data, including:
- full name
- personal identification number (CNP)
- home address
- job position
- salary information
- bonuses and other remuneration details
These categories of data are considered high‑risk, and their exposure may lead to identity theft, fraud, or professional harm.
ANSPDCP findings: inadequate technical and organizational measures
The Authority concluded that the operator failed to implement appropriate technical and organizational measures, in breach of Article 32 GDPR. Key deficiencies included:
- insufficient controls to prevent unauthorized access
- inadequate protection against cyberattacks
- incomplete internal procedures for data security
- lack of regular staff training on data protection risks
Corrective measures imposed
Under Article 58(2)(d) GDPR, ANSPDCP ordered the operator to:
- conduct periodic reviews of internal data protection procedures
- provide regular training for all staff handling personal data
- strengthen technical and organizational security measures
The operator has paid the imposed fine.
Conclusion: a strong reminder for organizations handling sensitive data
This case highlights the critical importance of:
- robust cybersecurity measures
- continuous risk assessment
- employee awareness and training
- proactive monitoring and auditing of IT systems
In an era of increasing cyber threats, GDPR compliance is not merely a legal requirement but a fundamental component of enterprise risk management.