The Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) has concluded an investigation into Maravet S.R.L., finding violations of Article 32(4) in correlation with Article 32(1)(b), 32(1)(d) and Article 32(2) of Regulation (EU) 2016/679 (GDPR).
As a result, the operator received an administrative fine of 24,885.50 Lei, equivalent to 5,000 EUR, which has already been paid.
How the Incident Started
The investigation was initiated after Maravet S.R.L. submitted a data breach notification under Article 33 GDPR.
The company reported that a former employee had copied and unlawfully disclosed personal data from the company’s database, publishing it online.
Further analysis revealed that the former employee uploaded the data to the website of their new employer, where it remained publicly accessible for a certain period.
What Personal Data Was Exposed
The breach affected a significant number of data subjects. The exposed information included:
- full names
- phone numbers
- email addresses
- home addresses
- national identification numbers (CNP)
- ID card and passport series and numbers
- employment documents
- employee salaries
- employee performance evaluations
- photographs of employees and clients
This constitutes a major unauthorized disclosure involving highly sensitive personal data.
ANSPDCP’s Findings
The Authority concluded that Maravet S.R.L. failed to implement adequate technical and organizational measures to prevent unauthorized access and ensure proper data security. Specifically:
- the operator did not ensure that individuals acting under its authority processed personal data only upon its instructions
- access controls were insufficient to guarantee confidentiality and integrity of processing systems
- no effective measures were in place to restrict or revoke access to data after the termination of employment
These shortcomings enabled the former employee to extract and publish sensitive information without any technical or procedural barriers.
Conclusion
The Maravet S.R.L. case highlights the critical importance of enforcing strict access controls, especially during and after employee offboarding.
GDPR requires operators to implement security measures proportionate to the risks associated with data processing. Failure to do so can lead to severe incidents and significant financial penalties.