Home » Comunicat_Presa_12.08.2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

12.08.2025

Sanction for infringing GDPR

 

The National Supervisory Authority for Personal Data Processing, completed, in June 2025, an investigation at the “FLEXICREDIT” Association of the Mutual Aid House and found a violation of the provisions of Article 32 paragraph (2) of the General Data Protection Regulation (GDPR).

As such, the controller “FLEXICREDIT” Association of the Mutual Aid House was fined with 15,141.6 lei, the equivalent of 3,000 EURO.

The investigation was initiated following an intimation sent by “FLEXICREDIT” Association of the Mutual Aid House itself, reporting that an employee of a secondary school had obtained unauthorized access to the official e-mail address of the educational unit and had sent false documents to Flexicredit in order to contract 17 loans.

During the investigation it was found that, during 2023-2024, the “FLEXICREDIT” Mutual Aid Association granted 17 loans based on documents transmitted electronically by a third party, without the consent of the data subjects in whose name the loan agreements were concluded.

It was also noted that the controller did not properly verify the identity of the applicants in the case of remote credit applications, based on the documents received from them.

At the same time, it was found that “FLEXICREDIT” Mutual Aid House Association did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, which led to the processing of personal data (e.g. name, surname, personal identification number, home address, series/number of identity card, date of issue and issuer of identity card, date of validity of identity card) of a significant number of data subjects in the context of granting 17 credits based on falsified documents.

As such, based on the criteria for individualizing the sanctions provided for in Article 83 of the GDPR, it was established that the controller “FLEXICREDIT” Mutual Aid House Association was sanctioned with a fine for violating the provisions of Article 32 paragraph (2) of the GDPR.

 

Legal and Communication Department

A.N.S.P.D.C.P