Home » Comunicat_Presa_28_04_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

28.04.2025

Sanction for infringing the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in April 2025, an investigation at the controller Xiting ROM SRL and found the breach of Article 12 paragraphs (3) and (4) in conjunction with Article 15 paragraphs (1)-(3) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine in the amount of 4,977 lei (the equivalent of 1,000 euros).

The investigation was launches following a complaint from an individual, who claimed that the controller had not respected his right of access to his personal data.

During the investigation, it was found that the controller Xiting ROM S.R.L. did not communicate to the applicant, within the legal deadline, an appropriate and complete written response to his request requesting information regarding the processing of his personal data, as well as an electronic copy of these data.

As such, it was established that the provisions of Article 12 paragraphs (3) - (4) in conjunction with Article 15 paragraphs (1)-(3) of Regulation (EU) 2016/679 were violated, and the controller was fined.

At the same time, pursuant to the provisions of Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, the following corrective measures were ordered against the controller:

  • to send a complete response to the request of the applicant, to his/her e-mail address, by securely communicating all documents and records containing his/her personal data that are currently available in the controller’s database, or, as the case may be, the justification for the refusal to make them available, by referring to the provisions of Article 12 paragraph (4) and Article 15 paragraphs (3)-(4) of the GDPR;
  • to ensure compliance of personal data processing operations with the GDPR, by adopting the necessary technical and organizational measures, including in terms of appropriate training of the personnel designated for this purpose, so that the controller is able to correctly assess, handle and respond appropriately to requests by which the data subjects exercise their rights, within the deadlines and according to the conditions provided for in Article 12-23 of the GDPR.

 

Legal and Communication Department

A.N.S.P.D.C.P