The Romanian supervisory authority (ANSPDCP) has imposed a total penalty of RON 164,150 (approximately $34,929) on Restart Energy One SA. The penalty was imposed for violations of the GDPR and Law No. 506/2004 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
The ANSPDCP received a notification of a potential personal data breach on the Restart Energy One website. After investigation, the authority found that a file with the personal data of at least 750 individuals had been publicly available on the Restart Energy One website for approximately two and a half years.
The ANSPDCP found that when visiting the Restart Energy One website, non-mandatory cookies were installed on the user’s device before the user could consent to them. It also found that the ‘refuse’ button did not stop the installation of cookies on the device.
In addition to the fine, the ANSPDCP ordered Restart Energy One to implement a procedure for testing, evaluating and periodically assessing all systems and subsequent changes to them, especially on the website managed by Restart Energy One.