The National Supervisory Authority for Personal Data Processing completed, in March 2025, an investigation at the controller NEW GAMBLING SOLUTIONS S.R.L. and found the breach of Article 32 paragraph (1) letters b), d) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with

fine in the amount of 9,951.20 lei, the equivalent of 2,000 euros for the infringement of Article 32 paragraph (1) letters b), d) and paragraph (2) of Regulation (EU) 2016/679.

The investigation was initiated following the transmission by the controller NEW GAMBLING SOLUTIONS S.R.L. of a notification of a personal data breach, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that, following a cyberattack, data from the controller’s IT infrastructure was accessed by a third party, namely the data of the controller’s employees (surname, first name, CNP, ID series and number, home address, data regarding the professional activity of the employees).

In this context, we specify that this situation led to the unauthorized disclosure or unauthorized access by a third party to the personal data of a significant number of data subjects.

As such, it was found that the controller did not implement appropriate technical and organizational measures and did not carry out periodic testing, evaluation and assessment of the effectiveness of technical and organizational measures to guarantee the security of data processing, including the ability to ensure the confidentiality, integrity, availability and continued resilience of processing systems and services, in accordance with the provisions of Article 32 paragraph (1) letters b), d) and paragraph (2) of the GDPR.

The controller paid the imposed fine.

Legal and Communication Department

A.N.S.P.D.C.P