ANSPDCP (Romania) - 07.11.2025

Summary

Romania's ANSPDCP (National Supervisory Authority for Personal Data Processing) issued a €7,000 fine to Klass Wagen SRL for violating GDPR Article 32 requirements on technical and organizational security measures. A former employee disclosed credentials to the contracts management system, resulting in unauthorized access to personal data of clients and employees (names, addresses, ID/passport numbers) across multiple EU/EEA countries. The DPA ordered the company to implement account deactivation procedures for former staff and revoke their access rights.

Full text

Help ANSPDCP (Romania) - 07.11.2025: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:50, 26 November 2025 view sourceDt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators328 edits Tag: Visual edit← Older edit Latest revision as of 11:37, 21 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators328 editsmTag: Visual edit Line 61: Line 61: |Appeal_To_Link=|Appeal_To_Link= |Initial_Contributor=|Initial_Contributor=dt || }}}} Latest revision as of 11:37, 21 April 2026 ANSPDCP - 07.11.2025 Authority: ANSPDCP (Romania) Jurisdiction: Romania Relevant Law: Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 32(2) GDPR Type: Investigation Outcome: Violation Found Started: Decided: Published: 07.11.2025 Fine: 35,615 RON Parties: Klass Wagen SRL National Case Number/Name: 07.11.2025 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Romanian Original Source: ANSPDCP (in RO) Initial Contributor: dt The DPA fined a company RON 35,615 (€7,000) for failing to implement appropriate technical and organisational measures, leading to the unauthorised access to clients’ and employees’ personal data. Specifically, the DPA ordered the controller to ensure the deactivation of former employees’ accounts. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The Romanian DPA (ANSPDCP) launched an investigation into the company Klass Wagen SRL (the controller) after a possible unauthorised access to the controller’s contracts management system. The contracts’ management system contained the personal data of a significant number of people, including names, addresses and passport information. According to the investigation, the security breach was caused by a former company employee who disclosed their credentials for the contracts’ management system to co-workers. Additionally, the notification revealed that the incident had been reported late internally. Holding The DPA held that the controller violated Article 32(1)(b) GDPR, Article 32(1)(d) GDPR and Article 32(2) GDPR by not taking appropriate technical and organisational measures which led to the unauthorised disclosure and access to the personal data of a large number of clients and their employees. Therefore, the DPA fined the controller RON 35,615 (€7,000) and ordered the controller to implement a procedure to deactivate former employees’ accounts and revoke their access rights. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details. 07.11.2025 Sanction applied for violation of GDPR Based on the cooperation mechanisms provided for by Regulation (EU) 2016/679, the National Supervisory Authority for the Processing of Personal Data, as the lead supervisory authority, completed an investigation at the controller Klass Wagen S.R.L., in which it found a violation of the provisions of art. 32 para. (1) let. b) and d) and para. (2) of Regulation (EU) 679/2016. As such, the controller was sanctioned with a fine of 35,615 lei (equivalent to 7,000 euros). The investigation was initiated following the transmission by the controller Klass Wagen S.R.L. of a notification regarding the violation of personal data security, according to the provisions of art. 33 of Regulation (EU) 2016/679, as well as following a notification received by the Authority. Thus, the notified security breach concerned a possible unauthorized access to the operator's contract management system. The notification sent to the National Supervisory Authority showed that the incident was reported internally with a delay, for which the operator did not immediately take necessary and appropriate measures, which led to the personal data of a significant number of data subjects being affected, including from other Member States of the European Union. The investigation found that the security breach occurred as a result of a former employee disclosing the credentials of some colleagues for the contract management system, which allowed unauthorized access to personal data (name, surname, address, telephone number, email, place and date of birth, driving license number and expiration date, ID/passport series and number, CNP) of a significant number of data subjects, including data subjects from EU/EEA and non-EU member states. As such, it was found that the operator violated the provisions of art. 32 par. (1) let. b) and d) and par. (2) of Regulation (EU) 679/2016, as it did not implement appropriate technical and organizational measures, which led to the unauthorized disclosure and unauthorized access to personal data of a very large number of individual customers and its employees. In this context, in relation to the cross-border implications of the situation, the operator Klass Wagen S.R.L. was sanctioned by a Decision of the National Supervisory Authority for the Processing of Personal Data with a fine, according to the powers established by Regulation (EU) No. 2016/679 and Law No. 102/2005, republished. At the same time, the National Supervisory Authority also applied the corrective measure by which it was ordered that the operator implement a procedure for revoking access rights and deactivating accounts associated with former employees. Legal and Communication Department A.N.S.P.D.C.P. Retrieved from "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_07.11.2025&oldid=51417" Categories: ANSPDCP (Romania)RomaniaArticle 32(1)(b) GDPRArticle 32(1)(d) GDPRArticle 32(2) GDPRRomanian This page was last edited on 21 April 2026, at 11:37. Content is available under Creative Commons Attribution-NonCommercial-ShareAlike unless otherwise noted. Privacy policy About GDPRhub Disclaimers

Entities