Home » Comunicat_Presa_13_10_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

13.10.2025

Fine for infringing the GDPR

 

The National Supervisory Authority for Personal Data Processing, finalised, in September 2025, an investigation at the controller Vellea Home SRL and found the infringement of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation 2016/679.

As such, the controller was sanctioned with a fine of 25,376 lei, the equivalent of 5,000 euros.

The investigation was launched following the transmission by the controller Vellea Home SRL of a notification of a personal data breach, in accordance with the provisions of Article 33 of Regulation (EU) 679/2016.

Thus, the controller notified the fact that, following a cyberattack, personal data belonging to individuals were accessed in an unauthorized manner, in the context of conducting commercial activities through the online store owned.

During the investigation, it emerged that the controller had not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing, generated in particular, accidentally or unlawfully, by unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed, including the ability to ensure the confidentiality, integrity, availability and continuous resilience of the processing systems and services to prevent unlawful access to data.

This situation led, for a certain period of time, to illegal access to personal data belonging to a significant number of individuals, namely contact data (telephone, e-mail address, delivery address).

As such, the controller was sanctioned for violating the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679.

Also, pursuant to the provisions of Article 58 paragraph (2) letter d) of Regulation (EU) 2016/679, the controller was ordered to take the corrective measure of reviewing and updating the existing security incident response plan, so that it includes clear procedures for the early detection of cyber threats, automatic alert mechanisms of potential vulnerabilities through periodic scanning of systems.

 

Legal and Communication Department

A.N.S.P.D.C.P