BUCHAREST – The National Supervisory Authority for the Processing of Personal Data (ANSPDCP) has concluded an investigation into CVA TAX & FINANCE S.R.L., resulting in a fine of 9,954.80 RON (approx. 2,000 EUR).
The investigation identified a breach of Article 32, paragraphs (1) and (2) of Regulation (EU) 2016/679 (GDPR). The case was initiated following a mandatory data breach notification submitted by the operator in accordance with Article 33 of the GDPR.
Incident Details The probe revealed that a cyberattack compromised the operator's IT infrastructure, leading to unauthorized access and the encryption (restriction) of data. This breach impacted a significant number of employees belonging to the operator’s corporate clients, exposing sensitive categories such as:
- Full names and Personal Identification Numbers (CNP);
- Home addresses;
- Employment details: roles, base salaries, bonuses, and other financial benefits.
Enforcement and Remediation The Authority ruled that the operator failed to implement adequate technical and organizational measures to ensure a level of security appropriate to the risks of accidental or unlawful destruction, loss, or unauthorized disclosure. In addition to the fine, a corrective measure was issued under Article 58 of the GDPR, requiring the operator to:
- Establish a periodic audit system for internal data protection procedures.
- Implement regular training programs for staff regarding data processing risks and cybersecurity awareness.