The National Supervisory Authority for Personal Data Processing completed, in April 2025, an investigation at the controller AG-BROKER ASIGURARE S.R.L. and found the breach of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine in the amount of 24,887 lei (the equivalent of 5,000 euros).

The investigation was initiated following the transmission by the controller AG-BROKER ASIGURARE S.R.L. of a notification regarding the breach of personal data, according to the provisions of Article 33 of Regulation (EU) 2016/679.

Thus, the controller notified the fact that, following a cyberattack, the following categories of personal data were affected, namely CNP, name, first name, photos from identity cards of natural persons, birth certificates, driving licenses, vehicle registration certificates, email addresses and telephone numbers of a significant number of customers.

During the investigation, it was found that the controller had not implemented, at the time of the cyberattack, security measures with specific requirements regarding secure access to network storage equipment that would reduce the risk of unauthorized access to the aforementioned personal data.

Therefore, it was found that the controller did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing, generated in particular, accidentally or unlawfully, by the destruction, loss, alteration, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed, including the ability to ensure the confidentiality, integrity, availability and continuous resilience of the processing systems and services, which led to the unauthorized disclosure of personal data processed by the controller.

Legal and Communication Department

A.N.S.P.D.C.P