The National Supervisory Authority for Personal Data Processing, completed, in November 2025, an investigation at the controller PFA Nițu A. Cleopatra – Expert contabil and found a violation of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 10,167 lei, the equivalent to 2,000 euros.

The investigation was initiated following the transmission by the controller of a personal data breach notification, in accordance with the provisions of Article 33 of Regulation (EU) 679/2016.

During the investigation, it was found that, following a cyberattack, the controller’s access to its own IT infrastructure was accessed and restricted.

This situation led to the disclosure and unauthorized access to personal data belonging to a significant number of data subjects, namely: name, personal identification number, address, telephone number, e-mail address, financial and accounting data (bank statements, billing documents, tax returns).

At the same time, during the investigation, it emerged that the controller had not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing, generated in particular by accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized access to personal data.

This situation led to the unauthorized disclosure of personal data belonging to a significant number of individuals.

In this context, the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679 were violated.

Legal and Communication Department

A.N.S.P.D.C.P