The National Supervisory Authority for Personal Data Processing completed, in May 2025, an investigation at the controller Vodafone Romania S.A. and found the breach of Article 25 paragraphs (1) and (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a reprimand and a fine of 20,226 lei, the equivalent to 4,000 euros.

The investigation was initiated following the transmission by the controller of a personal data breach notification, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that the controller did not implement appropriate technical and organizational measures, both when establishing the means of processing and during the processing itself, intended to effectively implement the data protection principles and to integrate the necessary safeguards into the processing, in order to meet the requirements of Regulation (EU) 2016/679 and to protect the rights of data subjects.

This led to the unauthorized disclosure and unauthorized access to personal data belonging to several data subjects, customers of the controller (identification data: name and surname, unique identifier for the individual, Vodafone customer code and personal identification number for foreign citizens, passport series or other equivalent, contact details: mailing address, financial data: payment amount related to the invoice).

The controller was also ordered to take the corrective measure of technical and procedural implementation of a mechanism applied at regular intervals, regarding the periodic testing, evaluation and assessment of the effectiveness of the measures adopted, taking into account the risk presented by the processing, in order to ensure an appropriate level of security and avoid similar security incidents in the future.

Legal and Communication Department

A.N.S.P.D.C.P