The National Supervisory Authority for Personal Data Processing completed, in April 2025, an investigation at the controller ACCOUNTING & AUDIT CONSULTING SRL and found the breach of Article 32 paragraph (1) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine in the amount of 24,887.00 lei, the equivalent of 5,000 euros.

The investigation was initiated following a notification of a personal data breach, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that unauthorized persons had illegally accessed the personal data of the employees of the controller’s clients, namely: name, surname, personal identification number, domicile, position, salary, bonuses and other salary rights.

As a result, it was found that the controller had not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, in particular, accidental or unlawful destruction, loss, modification, unauthorized disclosure and unauthorized access to personal data transmitted, stored and otherwise processed.

At the same time, in accordance with the provisions of Article 58 paragraph (2) letter d) of Regulation (EU) 2016/679, the controller was also subject to the corrective measure of periodically verifying compliance with the implemented work procedures regarding the protection of personal data, as well as the periodic training of persons acting under its authority, including on the risks involved in the processing of personal data.

We mention that the controller paid the fine imposed.

Legal and Communication Department

A.N.S.P.D.C.P