The National Supervisory Authority for Personal Data Processing, finalised, in September 2025, an investigation at the controller PRIME TRANSACTION SA and found the infringement of the provisions of Article 32 paragraph (1) letters b) and d) and paragraph (2) of the General Data Protection Regulation (GDPR).

As such, the controller was sanctioned with a fine of 10,162.2 lei, the equivalent of 2,000 euros.

The investigation was initiated following the submission by PRIME TRANSACTION SA of a personal data breach notification pursuant to Regulation (EU) 2016/679.

During the investigation, it was found that the data processing security breach occurred as a result of a cyberattack, which led to unauthorized access, during the period 09-10.06.2025, to the personal data (name, address, personal identification number, e-mail addresses, telephone numbers, bank statements, annual income, employer, copies of identity documents) of a significant number of data subjects.

As such, in relation to the criteria for individualizing the sanctions provided for in Article 83 of Regulation (EU) 2016/679, a fine was imposed for the violation of the provisions of Article 32 paragraph (1) letters b) and d) and paragraph (2) of the GDPR, as the controller PRIME TRANSACTION SA did not implement appropriate technical and organizational measures and did not carry out periodic testing, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the processing.

Legal and Communication Department

A.N.S.P.D.C.P