Home » Comunicat_Presa_30.12.2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

30.12.2025

Sanction for infringing the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in December 2025, an investigation at the controller Roumasport S.R.L. and found a violation of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) in conjunction with Article 24 paragraph (1) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 50,920 lei (the equivalent of 10,000 euros).

The investigation was initiated following the transmission by the controller Roumasport S.R.L of notifications of personal data security breaches, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that, following repeated cyberattacks on the IT platform owned by the controller, personal data were accessed in an unauthorized manner.

At the same time, during the investigation, it was found that the controller did not implement adequate technical and organizational measures in order to ensure a level of security appropriate to the risk presented by the processing, generated by unauthorized access to personal data transmitted, stored or otherwise processed, including the ability to ensure the confidentiality and integrity of processing systems and services, to prevent illegal access to customer accounts at the level of the platform owned by the controller.

This situation led to the unauthorized access to personal data belonging to a significant number of the controller’s customers, such as: name, surname, date of birth, gender, email address, favourite store, favourite sport, postal address, phone number, password, account number, purchase history, number of loyalty points, number of loyalty vouchers.

Thus, the controller was sanctioned with a misdemeanour fine, for violating the provisions of Article 32 paragraph (1) letter b) and paragraph (2) in conjunction with Article 24 paragraph (1) of Regulation (EU) 679/2016.

Article 32 Security of processing

(1) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(…) b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (…)

(2) In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

Article 24 Responsibility of the controller

(1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”

 

Legal and Communication Department

A.N.S.P.D.C.P