The National Supervisory Authority for Personal Data Processing, completed, in July 2025, an investigation at the controller La Fântâna S.R.L. and found a violation of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 50,693 lei, the equivalent of 10,000 euros.

The investigation was initiated following the transmission by the controller La Fântâna S.R.L. of a notification of a personal data breach, in accordance with the provisions of Article 33 of Regulation (EU) 679/2016.

Thus, the controller notified the fact that, following a cyberattack, a series of categories of personal data of a significant number of data subjects were affected, such as: name, surname, bank card number, card expiration date, card verification code.

At the same time, during the investigation, it emerged that the controller did not have in place, at the time of the cyberattack, adequate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing, generated in particular, accidentally or unlawfully, by the destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed, including the ability to ensure the confidentiality, integrity, availability and continued resilience of the processing systems and services.

This situation led to the unauthorized disclosure of personal data belonging to a significant number of individuals, who were also exposed to a risk of damage through banking fraud.

In this context, the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679 were violated.

The controller paid the established fine.

Legal and Communication Department

A.N.S.P.D.C.P