On November 28, 2024, the National Supervisory Authority for Personal Data Processing (ANSPDCP) fined KMG Rompetrol SRL RON 19,893 (approx. $4,210) for violations of the General Data Protection Regulation (GDPR) following notifications of data breaches.

Background to the decision

The ANSPDCP initiated an investigation after Rompetrol notified the ANSPDCP of a security incident that affected personal data, in compliance with Article 33 of the GDPR. The security incident related to several people receiving phishing emails from Rompetrol's email address, and thus the personal data of affected people was downloaded and accessed illegally, such as email addresses, names and surnames, and signatures.

Findings of the ANSPDCP

The ANSPDCP found that Rompetrol's email address had a password known to several Rompetrol employees, which allowed unauthorized access to the email address, thus violating data confidentiality. The ANSPDCP also noted that Rompetrol did not implement adequate technical and organizational measures to ensure a level of security corresponding to the risk of personal data processing, including the ability to ensure confidentiality.

Therefore, the ANSPDCP concluded that Rompetrol violated Articles 32(1)(b) and 32(2) of the GDPR.

Outcomes

In light of the above, the ANSPDCP fined Rompetrol RON 19,893 (approx. $4,210) and required Rompetrol to establish an inspection/audit plan to take measures to correct the identified deficiencies so as to avoid similar security incidents.

You can read the press release, only available in Romanian, here.