Home » Comunicat_Presa_07_11_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

07.11.2025

Sanction imposed for the breach of the GDPR

 

Based on the cooperation mechanisms provided for by Regulation (EU) 2016/679, Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, as the lead supervisory authority, completed an investigation at the controller Klass Wagen S.R.L. and found a violation of the provisions of Article 32 (1) b) and d) and Article 32 (2) of Regulation (EU) 2016/679.

As such, the controller was fined 35,615 lei (equivalent to 7,000 euros).

The investigation was initiated following the transmission by the controller Klass Wagen S.R.L. of a notification regarding the breach of personal data security, according to the provisions of Article 33 of Regulation (EU) 2016/679, as well as following an intimation received by the Authority.

Thus, the notified security breach concerned a possible unauthorized access to the controller’s contract management system. The notification sent to the Romanian SA showed that the incident was reported internally with a delay, for which the necessary and appropriate measures were not immediately taken at the controller level, which led to the personal data of a significant number of data subjects being affected, including from other Member States of the European Union.

The investigation found that the security breach occurred as a result of a former employee disclosing the credentials of some colleagues for the contract management system, which allowed unauthorized access to personal data (name, surname, address, telephone number, email, place and date of birth, driving license number and expiration date, ID/passport series and number, personal identification number) of a significant number of data subjects, including data subjects from EU/European Economic Area and Non-EU member states.

As such, it was found that the controller violated the provisions of Article 32 (1) b) and d) and Article 32 (2) of Regulation (EU) 2016/679, as it did not implement adequate technical and organizational measures, which led to the unauthorized disclosure and unauthorized access to the personal data of a very large number of individual customers and its employees.

In this context, in relation to the cross-border implications of the situation, the controller Klass Wagen S.R.L. was sanctioned through a Decision of Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal with a fine, according to the powers established by the Regulation (EU) 2016/679 and by Law no. 102/2005, republished.

At the same time, the national supervisory Authority imposed a corrective measure ordering the controller to implement a procedure for revoking access rights and deactivating accounts associated with former employees.

 

Legal and Communication Department

A.N.S.P.D.C.P.