The National Supervisory Authority for Personal Data Processing completed, in April 2025, an investigation at the controller BITDEFENDER SRL and found the breach of Article 32 paragraph (1) letters b) and d), paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine in the amount of 49.772 lei (the equivalent of 10,000 euros).

The investigation was initiated following the submission by BITDEFENDER SRL of a personal data breach notification, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that, due to a programming or implementation error in the update operation of the email security analysis service, a significant number of customers’ personal data were disclosed to third parties.

As such, it was found that the controller did not implement appropriate technical and organizational measures and did not periodically test, evaluate and assess the effectiveness of the technical and organizational measures to guarantee the security of data processing, including the ability to ensure the confidentiality, integrity, availability and continued resilience of the processing systems and services.

In this context, we specify that this situation led to the unauthorized disclosure or unauthorized access to the personal data of a significant number of data subjects, at least, name, first name and email address.

Legal and Communication Department

A.N.S.P.D.C.P