Home » Comunicat_Presa_04_02_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

04.02.2025

Sanction for the infringement of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the controller V&M Contab&Management SRL and found the breach of Article 58 (1) letters a) and e) and of Article 32 (4) in conjunction with Article 32 (1) letter b) and (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned:

  1. with a fine of 9,954 lei (the equivalent of 2,000 euros) for the breach of Article 58 (1) letters a) and e) of Regulation (EU) 2016/679 in conjunction of Article 83 (5) letter e) of Regulation (EU) 2016/679;
  2. with a fine of 39,816 lei (the equivalent of 8,000 euros) for the breach of Article 32 (4) in conjunction with Article 32 (1) letter b) and (2) of Regulation (EU) 2016/679.

The investigation was launched following an intimation claiming a possible infringement of Regulationa (EU) 2016/679 provisions.

During the investigation, it was found that the controller did not respond to the information requests of the National Supervisory Authority, although it had the obligation to allow the access of our institution to the personal data and to all the information necessary to fulfil the legal duties, thus violating the provisions of Article 58 (1) letters a) and e) of Regulation (EU) 2016/679.

Also, within the investigation, it was found that the controller sent to a third party, via WhatsApp, a table with access passwords in the Revisal platform for several legal entities, through which the personal data of the employees of these companies could be accessed. This incident led to unauthorized disclosure of the processed personal data (such as name, surname, citizenship, personal identification number, domicile). Therefore, the controller has not taken measures to ensure that any natural person acting under its authority and having access to personal data does not process them except at the request of the controller. At the same time, the controller did not implement adequate technical and organisational measures in order to ensure a level of security corresponding to the risk of the processing, including the ability to ensure the confidentiality and integrity of the processing systems and services. Thus, the provisions of Article 32 (1) letter b), (2) and (4) of Regulation (EU) 2016/679 were breached.

In the same time, the corrective measure of changing all the access credentials for the Revisal platform available on the website https://reges.inspectiamuncii.ro/ for all the legal entities affected by the incident was ordered against the controller.

 

Legal and Communication Department

A.N.S.P.D.C.P