Home » Comunicat_Presa_07_07_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

07.07.2025

Sanction for non-compliance with GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in June 2025, an investigation at the controller Partidul Alianța pentru Unirea Românilor (AUR) and found the breach of the provisions:

  1. of Article 32 paragraph (1) letters b) and d) and paragraph (2) of Regulation (EU) 2016/679 in conjunction with Article 25 paragraphs (1) and (2) of the same legal act;
  2. of Article 5 paragraph (1) letter c) and paragraph (2), by reference to the provisions of Article 6 paragraph (1) of Regulation (EU) 2016/679.

For the acts committed, the following sanctions were applied to the controller:

  1. fine of 50,587.00 lei, the equivalent of 10,000 euros
  2. fine of 75,880.50 lei, the equivalent of 15,000 euros.

The investigation was initiated following the transmission by the controller Partidul Alianța pentru Unirea Românilor (AUR) of two notifications regarding the breach of personal data security, according to the provisions of Article 33 of Regulation (EU) 2016/679, as well as following some intimations received by the authority.

a) One of the notified security breaches concerned the aur.mobi application used and managed by the controller, the vulnerability of which was exploited by a third party by accessing the source code of the application.

The investigation found that, as a result of a configuration error, at the time of the incident, the following categories of personal data of its users (supporters/members, individuals who provided personal data in the controller’s application) could be viewed within the aur.mobi application: first and last name, telephone number, e-mail address, residence address, personal identification number, date of birth, nationality, citizenship, gender, religion, profession, occupation, field of activity, experience in other fields, studies (institution, specialization, start date, end date), political experience (party, position, start date, end date), administrative experience (institution, position, start date, end date), foreign languages ​​spoken (language, level).

Therefore, it was found that the controller violated the provisions of Article 32 paragraph (1) letters b) and d) and paragraph (2), in conjunction with Article 25 paragraphs (1) and (2) of Regulation (EU) 679/2016, since it did not implement appropriate technical and organisational measures to ensure that, by default, personal data cannot be accessed, without the intervention of the person, by an unlimited number of persons, including the ability to ensure the ongoing confidentiality and resilience of the processing systems and services, as well as a process for periodically testing, evaluating and assessing the effectiveness of the technical and organizational measures to guarantee the security of the processing, respectively did not implement, both when establishing the means of processing and during the processing itself, such appropriate technical and organizational measures. This led to the unauthorised disclosure and unauthorised access to the personal data of the application users (supporters/members of the AUR party), through accessing the source code of the aur.mobi application by third parties, as a result of querying a vulnerable programming interface.

b) The Permanent Electoral Authority forwarded to the National Supervisory Authority two notifications indicating a possible violation of the provisions of Regulation (EU) 2016/679 by the AUR controller, by collecting personal data (surname, first name, ID number and series, home address, date of birth, email, telephone number, signature) through the platforms www.semnezsivotez.org and www.semnezsivotez.ro for a significant number of data subjects.

During the investigation it was found that personal data were processed by the controller for the purpose of informing data subjects about an AUR campaign and for statistical purposes, and that the processed data are not adequate, relevant and limited to what is necessary in relation to the declared purposes of the processing.

As such, it was found that the controller violated the provisions of Article 5 paragraph (1) letter c) and paragraph (2) of Regulation (EU) 2016/679 in relation to the provisions of Article 6 paragraph (1) of the Regulation, since it processed, without legal basis, through the websites semnezsivotez.ro and semnezsivotez.org, personal data that are not adequate, relevant and limited to what is necessary, in relation to the declared purposes of the processing.

During the investigation, the controller deactivated the IT platforms semnezsivotez.ro and semnezsivotez.org.

 

Legal and Communication Department

A.N.S.P.D.C.P