The National Supervisory Authority for Personal Data Processing completed, in March 2025, an investigation at the controller BINBOX GLOBAL SERVICES S.R.L. and found the breach of Article 32 paragraph (1) letters b) and d) and Article 32 paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned:

with fine of 14,930.70 lei, the equivalent of 3,000 euros, for the infringement of Article 32 paragraph (1) letters b) and d) and Article 32 paragraph (2) of Regulation (EU) 2016/679.

The investigation was initiated following the transmission by the controller BINBOX GLOBAL SERVICES S.R.L. of a personal data breach notification, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that, following a cyberattack, the controller’s IT infrastructure was accessed and encrypted, which led to the unauthorized disclosure or unauthorized access to personal data.

As such, it was found that the controller did not implement appropriate technical and organizational measures, including the ability to ensure the confidentiality, integrity, availability and continuous resilience of the processing systems and services.

In this context, the unauthorized disclosure or unauthorized access to personal data of a significant number of data subjects, customers of the controller, took place.

The controller paid the established fine.

Legal and Communication Department

A.N.S.P.D.C.P