The National Supervisory Authority for Personal Data Processing completed, in June 2025, an investigation at the controller SC Tremend Software Consulting SRL and found the breach of Article 32 paragraph (1) letter b), paragraph (2) and paragraph (4) of Regulation (EU) 2016/679.

As such, SC Tremend Software Consulting SRL was sanctioned with a fine of 15,161.10 lei, the equivalent of 3,000 euros.

The investigation was initiated following the submission by SC Tremend Software Consulting SRL of a personal data breach notification under the GDPR.

The investigation found that the controller did not implement appropriate technical and organizational measures to ensure that any natural person acting under its authority and having access to personal data only processes them at the request of the controller.

This situation led to unauthorized access to personal data (name and surname, official work email address, department, main skills of the person, office where the person is employed, region related to the office where the person is employed, position related to the department/specialization, way to log in to the Windows system, login ID) of the controller's employees, during the period December 2024 - February 2025.

In this context, in relation to the criteria for individualizing the sanctions provided for in Article 83 of the GDPR, the controller SC Tremend Software Consulting SRL was fined for violating the provisions of Article 32 paragraph (1) letter b), paragraph (2) and paragraph (4) of Regulation (EU) 2016/679.

We would like to point out that the controller has paid the fine imposed on it.

Legal and Communication Department

A.N.S.P.D.C.P