Sat, Apr
44 New Articles

Romania: The Close Link Between GDPR Compliance and Cyber Security Breaches Is Often Disregarded

Romania: The Close Link Between GDPR Compliance and Cyber Security Breaches Is Often Disregarded

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The close relationship between data protection and cyber security results from Art. 5 of the European Union’s (EU) General Data Protection Regulation (“GDPR”) which outlines one of the most important principles relating to processing of personal data: “integrity and confidentiality”.

More specifically, Art. 5(1f) of the GDPR stipulates that, “Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

In 2020, an overall increase in fraudulent activities was documented in the ACFE’s “Fraud in the Wake of Covid-19: Benchmarking Report”.

In case of an attack, the final security hold-out, security through obscurity, is now broken down. With all data mapped and accounted for, the GDPR changes security from a consideration to a necessity.

One of the most frequent cyberattacks that we see in practice is phishing or email fraud, in which attackers gain access to an organization’s network using a direct hit on the email accounts of a business and its clients. Phishing just edges out scanning for and exploiting vulnerabilities and unauthorized use of credentials. 

With the stolen data, attackers can pretend to be the company in question, having all the necessary information, and they can even fraudulently issue invoices, ostensibly from this company, to its business partners.

Legal obligation of an organization to report a breach

Organizations must report a personal data breach as a result of a cyberattack without undue delay and, where feasible, not later than 72 hours after having become aware of it, to the competent supervisory authority unless the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects. In some cases, organizations must also notify individuals whose data was exposed without undue delay.

The company must conduct the impact assessment of the data breach and draw up the risk analysis in order to determine if it is necessary to notify the supervisory authority.

Even if the data breach is not reported, our recommendation for companies is to keep a register in which breaches are documented and evidence is collected. In the event of a check by the supervisory authority, justification can be given as to why the company did not consider it necessary to notify the authority.

When in doubt, the company in question must presume that personal data was also stolen, considering that this possibility cannot be excluded. In most cases, IT investigations cannot confirm with certainty whether personal data have been stolen, but they likewise cannot exclude this possibility.

Companies must document any personal data breaches, including the facts relating to the personal data breach, its effects and the remedial action taken. The contact details of the data protection officer or main contact person dealing with the breach must also be provided. Failure to issue a breach notification can result in a fine of up to EUR 10 million or 2% of a company’s revenues.

Preventive measures

Preventing a breach of a company’s network and its systems requires protection against a variety of cyberattacks. The first line of defence for any organization is to assess and implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, such as data encryption, endpoint protection, daily backups, anti-malware solutions and efficient firewalls. 

Other effective ways to protect against cyberattacks and all types of data breaches include (i) providing employees with cyber awareness training; (ii) maintaining complete records; (iii) conducting risk assessments (Data Protection Impact Assessment); and (iv) developing a cybersecurity policy.

By Oana Piticas, Senior Associate, Raluca Botea, Senior Associate, and Flavia Denisa Margas, Associate, Noerr

Romanian Knowledge Partner

Țuca Zbârcea & Asociații is a full-service independent law firm, employing cross-disciplinary teams of lawyers, insolvency practitioners, tax consultants, IP counsellors, economists and staff members. It also operates a secondary law office in Cluj-Napoca (Romania), and has a ‘best-friend’ agreement with a leading law firm in the Republic of Moldova. In addition, thanks to the firm’s dedicated Foreign Desks, the team provides the full range of services to international investors seeking to gain a foothold or expand their existing operations in Romania. Since 2019, the firm and its tax arm are collaborating with Andersen Global in Romania.

Țuca Zbârcea & Asociaţii is providing legal services in every aspect of business, covering all major areas of practice: corporate and M&A; litigation and international arbitration; corporate tax; public procurement; TMT; employment; insurance; banking and finance; capital markets; competition; healthcare and pharmaceutical; energy and natural resources; environmental; intellectual property; real estate; regulatory legal services.

Țuca Zbârcea & Asociaţii is a First-Tier law firm in all international legal directories and a multiple award-winning law firm both locally and internationally. It received the CEE Deal of the Year Award (DOTY Awards 2021) and the Law Firm of the Year Award: Romania (IFLR Europe Awards 2021). 

Firm's website.

Our Latest Issue