The National Supervisory Authority for Personal Data Processing fined Hidroelectrica ciu 15,000 euros. The company paid the fine.
“The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation into the operator S.P.E.E.H. HIDROELECTRICA S.A and found a violation of art. 25 para. (1) and para. (2) of Regulation (EU) 2016/679. As such, the operator was fined 74,562 Lei (equivalent to 15,000 Euros),” the institution said in a press release.
The investigation was initiated following the company’s submission of a personal data breach notification and it was found that the personal data breach occurred within and at the time of the operator’s application launch, as a result of a technical error and the failure to carry out sufficient testing of the application in a test environment that would simulate the real-world usage environment in all processes and interactions with other applications used by the operator.
“This situation led to the loss of the integrity and availability of personal data, respectively to the unauthorized disclosure and/or unauthorized access to personal data belonging to a significant number of data subjects. Consequently, since the operator did not process the personal data in a manner that ensures their adequate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures, it was fined for violating the provisions of art. 25 para. (1) and para. (2) of Regulation (EU) 2016/679”, the institution states.
“At the same time, the operator was ordered to take the corrective measure of technical and procedural implementation of a test plan in the test environment, which would simulate the real production scenario in all plausible situations in the production environment, prior to the launch in production of all components/applications that are intended to be introduced within the activities that include the processing of personal data”, the National Supervisory Authority for the Processing of Personal Data also states.
In retort, Hidroelectrica admitted the error, arguing that this unfortunate event does not reflect the company’s data protection standards.
“Following the publication of the article regarding the investigation of the National Authority for the Supervision of Personal Data Processing (ANSPDCP) in relation to the operator S.P.E.E.H. Hidroelectrica S.A., our company wishes to address some important clarifications in order to ensure transparency and public trust. Hidroelectrica reaffirms its firm commitment to the protection of the personal data of its customers and employees. This unfortunate incident does not reflect our company’s standards regarding data protection and we are dedicated to strengthening security measures to ensure that all our processes comply with the highest data protection standards. We would like to point out that this single incident was caused by a technical error that occurred during the data migration to the iHidro system in October 2023, affecting 69 users out of the company’s over 500,000 customers. The error was promptly remedied. Hidroelectrica fully complied with the authorities’ recommendations and implemented additional technical and organizational measures to prevent the recurrence of such errors,” Hidroelectrica said in a press release.