Home » Comunicat_Presa_25.03.2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

25.03.2025

Sanction for the breach of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in February 2025, an investigation at the controller NTT DATA ROMÂNIA S.A and found the breach of Article 32 paragraph (1) letters b) and d), paragraph (2) and Article 33 paragraph (1) of Regulation (EU) 2016/679.

As such, the controller was sanctioned:

  • with fine of 124,432.50 lei, the equivalent of 25,000 euros, for the infringement of Article 32 paragraph (1) letters b) and d), paragraph (2) of Regulation (EU) 2016/679;
  • with reprimand for the infringement of Article 33 paragraph (1) of Regulation (EU) 2016/679.

The investigation was initiated following the transmission by the controller NTT DATA ROMÂNIA S.A. of a personal data breach notification, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that, following a cyberattack, the controller’s IT infrastructure was accessed and thus personal data were extracted in an unauthorized manner.

As such, it was found that the controller did not implement appropriate technical and organizational measures and did not periodically test, evaluate and assess the effectiveness of the technical and organizational measures in order to ensure the security of data processing, including the ability to ensure the confidentiality, integrity, availability and continuous resilience of the processing systems and services.

In this context, we would like to point out that this situation led to unauthorized access to personal data of a significant number of data subjects, such as: name, surname, signature, address, telephone number, e-mail address, gender, nationality, copies of identity documents, marriage certificates, passports, birth certificates, employment information and financial information: invoices, contracts, budget plans, educational information (records of training courses, participation in training courses, CVs, diplomas), sensitive data regarding the health of employees.

Also, during the investigation, it was found that the controller did not notify the Supervisory Authority within 72 hours from the date on which it became aware of the personal data breach incident, thus violating the provisions of Article 33 paragraph (1) of the GDPR.

The controller paid the established fine.

 

Legal and Communication Department

A.N.S.P.D.C.P