ANSPDCP (Romania) - fine against Renault Commercial Roumanie SRL
Romania fines Renault €125K for inadequate data security measures after cyberattack.
Summary
Romania's ANSPDCP fined Renault Commercial Roumanie SRL €125,000 (RON 637,262.50) for violations of GDPR Articles 28 and 32 following a cyberattack on an application administered by a third-party processor. The breach exposed personal data including names, phone numbers, addresses, driver license numbers, and identity documents of numerous individuals, which were published on an online platform. The DPA found the company failed to implement appropriate technical and organizational security measures and did not ensure processors offered sufficient data protection guarantees.
Full text
Help ANSPDCP (Romania) - fine against Renault Commercial Roumanie SRL: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 10:50, 27 March 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators251 edits Tag: submission [1.0] (No difference) Latest revision as of 10:50, 27 March 2026 ANSPDCP - fine against Renault Commercial Roumanie SRL Authority: ANSPDCP (Romania) Jurisdiction: Romania Relevant Law: Article 28(1) GDPR Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 32(2) GDPR Type: Investigation Outcome: Violation Found Started: Decided: Published: 25.03.2026 Fine: 637,262.50 RON Parties: Renault Commercial Roumanie SRL National Case Number/Name: fine against Renault Commercial Roumanie SRL European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Romanian Original Source: ANSPDCP (in RO) Initial Contributor: dt The DPA fined Renault Romania RON 637,262.50 (€125,000) for failing to implement appropriate security measures following a data breach linked to an app administered by a processor which led to the publication of leaked personal data on an online platform. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Renault Commercial Roumanie SRL (the controller) notified the Romanian DPA (ANSPDCP) of a data breach in line with Article 33 GDPR. Subsequently, the DPA launched an investigation. During the investigation, the DPA found that a cyberattack on one of the controller’s applications administered by a data processor led to the unauthorised access and disclosure of the personal data of a large number of data subjects. Holding The DPA found that the controller failed to implement the appropriate technical and organisational measures to ensure the security of the processing of personal data, as well as the introduction of a process for regularly testing and evaluating the efficiency of these measures, in breach of Article 32(1)(b) GDPR, Article 32(1)(d) GDPR and Article 32(2) GDPR. Furthermore, the DPA found that the controller failed to ensure that it only used data processors who offer guarantees for implementing the appropriate technical and organisational measures in light of Article 28(1) GDPR. Therefore, the DPA fined the controller RON 637,262.50 (€125,000). Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details. 25.03.2026 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed, in March 2026, an investigation at the operator RENAULT COMMERCIAL ROUMANIE S.R.L. and found a violation of art. 32 para. (1) let. b), d) and para. (2) in conjunction with art. 28 para. (1) of Regulation (EU) 2016/679. As such, the operator was sanctioned with: - a fine in the amount of 637,262.50 lei, equivalent to the amount of 125,000 euros, for violating the provisions of art. 32 para. (1) let. b), d) and para. (2) in conjunction with art. 28 para. (1) of Regulation (EU) 2016/679. The investigation was initiated following the transmission by the operator RENAULT COMMERCIAL ROUMANIE S.R.L. of a notification of a personal data breach, in accordance with the provisions of art. 33 of Regulation (EU) 2016/679. During the investigation, it was found that, following a cyber attack on an application of the operator administered by proxy, a series of categories of personal data belonging to a very large number of data subjects were accessed and disclosed in an unauthorized manner by publishing on a platform. Thus, personal data such as: name, surname, personal telephone number, professional telephone number, home address, driving license number, e-mail address, postal address, personal numerical code, chassis series, date of birth, identity card series and number, position, employer, personal identification number for employees were accessed and disclosed. As such, it was found that the operator did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing, including, among others, the ability to ensure the confidentiality of the processing systems and services, as well as the introduction of a process for testing, evaluating and periodically assessing the effectiveness of the technical and organizational measures to guarantee the security of the processing. It was also found that the operator did not ensure that it only uses authorized persons who offer sufficient guarantees for the implementation of appropriate technical and organizational measures, in relation to the provisions of art. 28 para. (1) of the RGPD. Legal and Communication Department A.N.S.P.D.C.P Retrieved from "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_fine_against_Renault_Commercial_Roumanie_SRL&oldid=51139" Categories: ANSPDCP (Romania)RomaniaArticle 28(1) GDPRArticle 32(1)(b) GDPRArticle 32(1)(d) GDPRArticle 32(2) GDPRRomanian This page was last edited on 27 March 2026, at 10:50. Content is available under Creative Commons Attribution-NonCommercial-ShareAlike unless otherwise noted. Privacy policy About GDPRhub Disclaimers