ANSPDCP (Romania) - 13.11.2023

From GDPRhub
ANSPDCP - 13.11.2023
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Fine: 100,000 EUR
National Case Number/Name: 13.11.2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: maxinescu

Rompetrol Downstream SRL, a downstream gas operator was fined €110,000 (546,073 RON) for a data breach affecting customer personal data, where data was accessed in an unauthorised manner and used to fraudulently obtain loans.

English Summary


Between 27 July 2021 and 3 January 2022, Rompetrol Downstream SRL (the controller) notified the Romanian DPA of several data breaches, in accordance with Article 33 GDPR. Following these notifications, the DPA opened an investigation against the controller.

During the investigation, the DPA found that customer data from the company's own software had been repeatedly accessed by the staff and used in an unauthorised manner. Moreover, the personal data of customers was disclosed for the purpose of obtaining loans in the data subject's name.

As a result of the data breach, personal data pertaining to controller’s customer data including data from the identity card (name, surname, series and number of the identity card, personal numerical code, address, place of birth, photo) and income statements (among the others, name and surname of the employee, date, signature, income achieved, length of service) were unlawfully accessed and further disclosed for the above mentioned illicit purposes.


The DPA held that the controller was in breach of Articles 32(1)(b), 32(2) and 32(4) GDPR.

Firstly, the DPA held that the controller had breached Article 32(1)(b) GDPR (confidentiality, integrity, availability and resilience of processing systems and services) and Article 32(4) GDPR since the controller had not taken sufficient measures to ensure that individuals acting under its authority only had access to personal data processes at their request.

Secondly, the DPA found a breach of Article 32(2) GDPR. The controller had not appropriately assessed the risks of processing and had not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, which resulted in their customers' personal data being disclosed and used to obtain loans in the data subjects' name.

As a result of the violations, the DPA imposed a fine €110,000 (546,073 RON) on the controller.


Unfortunately, the Romanian DPA does not publish its full decisions. This case presents however critical importance due to the potential criminal activities which were discovered by the DPA in relation to the unauthorized access and misuse of customer information and highlights the need for companies to enforce stringent controls at the internal level.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.


Fine for violation of art. 32 of the GDPR

The National Supervisory Authority completed, in October 2023, an investigation at the operator Rompetrol Downstream SRL and found a violation of the provisions of art. 32 para. (4) in conjunction with art. 32 para. (1) lit. b) and art. 32 para. (2) of Regulation (EU) 2016/679.

As such, the operator was penalized with a fine of 546,073.00 lei (the equivalent of 110,000 EURO).

The investigation was started as a result of the transmission by the operator of several notifications of violations of the security of personal data, between 20.07.2021 and 3.02.2022, according to art. 33 of Regulation (EU) 2016/679.

As part of the investigation, it turned out that the data of some customers from the computer program owned by the company was accessed from the internal level and used in an unauthorized manner, repeatedly, and the personal data of some customers were illegally disclosed for the purpose of obtaining loans from non-banking financial companies on their behalf.

Through the incident, the personal data of some concerned persons, data from the identity card (such as: name, first name, series and number of the identity card, personal numerical code, address, place of birth, photo) and data were disclosed without authorization from the salary certificate (such as: the employee's name and surname, date, signature, earned income, seniority).

The National Supervisory Authority found that Rompetrol Downstream SRL did not take measures to ensure that any natural person who acts under the authority of the operator and has access to personal data does not process them except at his request, nor did he implement technical and organizational measures adequate in order to ensure a level of security corresponding to the processing risk.

Legal and Communication Department