Home » Comunicat_Presa_12_03_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

12.03.2025

Sanction for the breach of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in February 2025, an investigation at the controller Automobilus International S.R.L. and found the breach of Article 32 paragraphs (1) and (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with fine of 24,885 lei, the equivalent of 5,000 euros.

The investigation was initiated following the transmission by the controller Automobilus International S.R.L. of a notification of a personal data breach, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

Thus, the controller reported a security incident, namely that information from its database was illegally accessed by a third party and at the same time the confidentiality of some personal data was lost. It was also notified that access to the information in the records system held was obtained by exploiting a vulnerability in one of the controller’s servers.

During the investigation, it was found that the controller did not implement adequate technical and organizational measures in order to ensure a level of security appropriate to the processing risk generated in particular, accidentally or illegally, by the destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored and processed in another way, as it was obliged to do under Article 5 paragraph (1) letter f) of the GDPR.

In this context, certain categories of personal data were illegally accessed, such as: name, surname, telephone number, delivery address, belonging to a significant number of the controller’s customers.

Thus, since adequate technical and organizational measures were not taken to ensure an appropriate level of security, a violation of the provisions of Article 32 paragraphs (1) and (2) of Regulation (EU) 2016/679 was found, and the controller was fined.

At the same time, pursuant to Article 58 paragraph (2) letter d) of the Regulation, the corrective measure of informing the affected data subjects about the security incident, as well as about the technical and organizational measures adopted to remedy it, was ordered against the controller by displaying a statement on the front page of the company’s website.

 

Legal and Communication Department

A.N.S.P.D.C.P