Home » Comunicat_Presa_25_04_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

25.04.2025

Sanction for infringing the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in April 2025, an investigation at the controller SC Travel Planner SRL and found the breach of Articles 32 and 33 and Article 15, in relation to Article 12 paragraphs (3) and (4) of Regulation (EU) 2016/679.

As such, the controller was sanctioned:

  • with a fine in the amount of 24,886 lei (the equivalent of 5,000 euros), for the infringement of Article 32 of Regulation (EU) 2016/679;
  • with a fine in the amount of 4,977.20 lei (the equivalent of 1,000 euros), for the infringement of Article 33 of Regulation (EU) 2016/679;
  • with reprimand for the infringement of Article 15 of Regulation (EU) 2016/679, in relation to Article 12 paragraphs (3) and (4) of Regulation (EU) 2016/679.

The investigation was initiated following complaints that indicated a possible unlawful processing of personal data.

The investigation revealed that the controller, in order to organize a raffle to reward its customers, published on its Facebook page a table containing personal data of tourists, such as: name, surname, reservation identification numbers, hotel or location where they made the reservation and the period of stay. Thus, the controller did not adopt sufficient technical and organizational security measures. This situation led to the unauthorized disclosure of the data subjects’ data, in violation of the provisions of Article 32 of Regulation (EU) 2016/679. Consequently, the controller was fined with 5,000 Euros.

It was also found that the controller did not notify this data security breach, which is contrary to the provisions of Article 33 of Regulation (EU) 2016/679, thus imposing a fine of 1,000 Euros.

At the same time, during the investigation, it emerged that no evidence was presented regarding the communication to the petitioners of a complete response to their request by which they exercised their right of access, thus violating the provisions of Article 15, in relation to the provisions of Article 12 paragraphs (3) and (4) of Regulation (EU) 2016/679. The controller was sanctioned for this act with a reprimand.

At the same time, the following corrective measures were also ordered against the controller:

  • to ensure compliance of personal data processing operations with Regulation (EU) 2016/679, by implementing technical and organizational security measures appropriate to the specific nature of the processing and the risks identified, throughout the data processing cycle, training of persons who process data under the authority of the controller, regular verification of compliance with the instructions sent to them;
  • to ensure compliance of personal data processing operations with Regulation (EU) 2016/679, by adopting internal measures necessary for the rapid detection, management and reporting of personal data security breaches, regardless of whether or not they require notification of the supervisory authority and/or the data subjects, as well as appropriate and regular training of persons who process data under the authority of the controller, in this context;
  • to communicate a response to the petitioners to the request to exercise the right of access.

 

Legal and Communication Department

A.N.S.P.D.C.P