Home » Comunicat_Presa_25_09_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

25.09.2025

A new sanction for infringing the GDPR

 

The National Supervisory Authority for Personal Data Processing, completed, in September 2025, an investigation at the controller S.C. PRIMONET RO S.R.L. and found the infringement of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation 2016/679.

As such, the controller was sanctioned with a fine of 101,544 lei, the equivalent of 20,000 euros, according to the NBR exchange rate on the date of imposing the sanction.

The investigation was initiated following the transmission by the controller of a notification regarding the breach of personal data security, according to the provisions of Article 33 of Regulation (EU) 2016/679.

Thus, the controller notified the fact that, following a cyberattack, the following categories of personal data of a significant number of the controller’s customers who used its e-commerce platform and made payments with the card were affected, namely bank card number, CVC no., name and surname of the cardholder, card expiration date.

Following the notification sent by the controller, two complaints were also received by the National Supervisory Authority from data subjects, its customers.

During the investigation it was found that the controller did not have security measures implemented on its own website that could have considerably reduced the risk of code modification in its structure, due to the use of an outdated version of the platform on which the site was running at the time of the security breach.

The personal data breach caused financial damage to the data subjects consisting of unauthorized transactions on the affected cards, the lack of funds in customer accounts as a result of unauthorized transactions that the banks failed to block, the blocking of cards and the waiting for the issuance of new cards.

Therefore, it was found that the controller violated the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679, as it did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing.

At the same time, pursuant to the provisions of Article 58 paragraph (2) letter d) of Regulation (EU) 2016/679, the controller S.C. PRIMONET RO S.R.L. was ordered the corrective measure of technical and organizational implementation of a logging system of all accesses to the owned e-commerce platform, including back-up of the logging files (logs).

The controller paid the established contravention fine.

 

Legal and Communication Department

A.N.S.P.D.C.P