The National Supervisory Authority for Personal Data Processing completed, in May 2025, an investigation at Accounting Audit SRL and found the breach of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679.

As such, Accounting Audit SRL was sanctioned with a fine in the amount of 50,553 lei, the equivalent of 10,000 euros.

The investigation was initiated following the submission by Accounting Audit SRL of a personal data breach notification under the GDPR. Data breach notifications were also submitted by two of Accounting Audit SRL’s clients for whom it acted as a processor.

The investigation found that the data processing security breach occurred as a result of a cyberattack, which led to the unauthorized disclosure of personal data (identification data, payment statements, articles of association, other confidential information received from clients, financial and accounting documents) for a very large number of data subjects, mainly employees of Accounting Audit SRL’s clients.

As such, in relation to the criteria for individualizing sanctions provided for in Article 83 of the GDPR, a fine was imposed for violating the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of the GDPR, since Accounting Audit SRL, as processor, did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, including the ability to ensure the confidentiality and integrity of the processing systems and services.

Legal and Communication Department

A.N.S.P.D.C.P