ANSPDCP (Romania) - 18.06.2026

Summary

The Romanian Data Protection Authority (ANSPDCP) has fined electronics retailer Altex România S.R.L. a total of RON 52,086 (€10,000) for multiple GDPR violations. The company failed to implement adequate security measures, resulting in a data breach where a customer accessed a third party's personal data. Additionally, Altex Romania did not notify the DPA or the affected individual about the breach as required by GDPR.

Full text

Help ANSPDCP (Romania) - 18.06.2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 08:42, 25 June 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators108 edits Tag: submission [1.0] (No difference) Latest revision as of 08:42, 25 June 2026 ANSPDCP - 18.06.2026 Authority: ANSPDCP (Romania) Jurisdiction: Romania Relevant Law: Article 32(1) GDPR Article 32(2) GDPR Article 33(1) GDPR Article 34(1) GDPR Type: Complaint Outcome: Upheld Started: Decided: Published: 18.06.2026 Fine: 52,086 RON Parties: Altex România S.R.L. National Case Number/Name: 18.06.2026 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Romanian Original Source: ANSPDCP (in RO) Initial Contributor: ds The DPA fined an electronics retailer RON 52,086 (€10,000) for failing to implement appropriate technical and organisational measures that resulted in a personal data breach and not notifying the DPA and the affected individual about the breach. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The Romanian DPA (ANSPDCP) launched an investigation into an electronics retailer, Altex România S.R.L. (the controller), after receiving a complaint from a data subject alleging possible violations of GDPR. During the investigation, the DPA discovered that while the data subject was in the process of being validated in the controller’s mobile application, a technical error occurred. Due to this technical malfunction, the data subject gained unauthorised access to a third party’s personal data, namely name, surname, invoices and delivery addresses. Holding The DPA held that the controller did not implement sufficient technical and organisational measures to ensure the security and confidentiality of personal data, according to Article 32(1) GDPR and Article 32(2) GDPR and imposed a fine of RON 36,461 (€7,000). In addition, the DPA found that the controller failed to notify it, as the National Supervisory Authority, of the personal data breach, as required under Article 33(1) GDPR. Therefore, it fined the controller RON 10,417 (€2,000). The DPA also found that the controller did not communicate the personal data breach to the affected third person, violating Article 34(1) GDPR and fined the controller RON 5,208 (€1,000). Furthermore, the DPA ordered the controller under Article 58(2)(d) GDPR to review the validation/authentication mechanisms associated with user accounts; to implement periodic testing procedures of application vulnerabilities and internal procedures regarding the management of security incidents and to assess its notification obligations according to Article 33 GDPR and Article 34 GDPR; to regularly carry out training of the personnel involved in the management of incidents and requests of data subjects and; to send a written response to the data subject regarding the reported issues. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details. 18.06.2026 Sanctions for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed an investigation at Altex România S.R.L in May 2026 and found a violation of the provisions of art. 32 para. (1), letters b) and d) and para. (2), of art. 33 para. (1) and of art. 34 para. (1) of Regulation (EU) 2016/679. As such, Altex România S.R.L was sanctioned with a fine, as follows: fine in the amount of 36,461 lei (equivalent to 7,000 euros) for violating the provisions of art. 32 para. (1), letters b) and d) and para. (2) of Regulation (EU) 2016/679, as it did not implement appropriate technical and organizational measures; fine in the amount of 10,417 lei (equivalent to 2,000 euros) for violating the provisions of art. 33 par. (1) of Regulation (EU) 2016/679, as the operator did not send the notification of the personal data breach to the National Supervisory Authority; fine in the amount of 5,208 lei (equivalent to 1,000 euros) for violating the provisions of art. 34 par. (1) of Regulation (EU) 2016/679, as the operator did not inform the data subject of the fact that his personal data had been breached. The investigation was initiated following the submission of petitions by an individual who reported possible violations of Regulation (EU) 2016/679. As a result of the investigation carried out, it emerged that, due to a technical vulnerability in the operator's mobile application during the process of validating the applicant's account, personal data belonging to a third party were accessed. Thus, this malfunction led to unauthorized access to the personal data of a third party, such as: name, surname, invoices and delivery addresses. During the investigation, it was found that the operator did not implement sufficient appropriate technical and organizational measures to ensure the security and confidentiality of personal data, in accordance with the provisions of art. 32 para. (1) and (2) of Regulation (EU) 2016/679. In addition, it was found that the operator did not notify the National Supervisory Authority of the personal data breach incident nor did it inform the affected person, thus violating the provisions of art. 33 and art. 34 of Regulation (EU) 2016/679. At the same time, pursuant to art. 58 paragraph (2) letter d) of Regulation (EU) 2016/679, the following corrective measures were ordered against the operator: review of the validation/authentication mechanisms associated with user accounts; implementation of procedures for periodic testing of application vulnerabilities; implementation of internal procedures regarding the management of security incidents and the assessment of notification obligations according to art. 33 and 34 of Regulation (EU) 2016/679; periodic training of the personnel involved in the management of incidents and requests of the data subjects; sending a written response to the petitioner regarding the issues notified. Legal and Communication Department A.N.S.P.D.C.P. Retrieved from "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_18.06.2026&oldid=52001" Categories: ANSPDCP (Romania)RomaniaArticle 32(1) GDPRArticle 32(2) GDPRArticle 33(1) GDPRArticle 34(1) GDPRRomanian This page was last edited on 25 June 2026, at 08:42. Content is available under Creative Commons Attribution-NonCommercial-ShareAlike unless otherwise noted. Privacy policy About GDPRhub Disclaimers

Entities