ANSPDCP (Romania) - 24.10.2023

From GDPRhub
ANSPDCP - 24.10.2023
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Complaint
Outcome: Upheld
Fine: 3000 EUR
Parties: n/a
National Case Number/Name: 24.10.2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: maxinescu

An online platform selling IT products was fined €3,000 for a data breach, which led to unauthorised disclosure of its clients' personal data.

English Summary


In early October 2023, the Romanian DPA opened an investigation against an online platform selling IT products (controller), following a complaint alleging that the controller's platform was vulnerable to data breaches.

During the investigation, the DPA found that a publicly accessible link led to a list of downloadable files held by the controller, which included invoices and certificates for the products purchased by clients on the controller’s platform. Access to the link led to the unauthorised disclosure of the controllers’ clients personal data, which included data subjects' name, surname, residential address, e-mail address, invoice number, date of purchase, products purchased and their value.


The Romanian DPA found that the controller had violated Articles 32(1)(b), 32(1)(d) and 32(2) GDPR, as they had failed to implement adequate technical and organisational measures to ensure an appropriate level of security. As a result, the Romanian DPA fined the controller €3,000.


Unfortunately, this summary is based on a press-release, as the Romanian DPA does not publish its full decisions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.


A new penalty for breaching GDPR

In October of the current year, the National Supervisory Authority completed an investigation at the operator Mensajero SRL in which it found a violation of the provisions of art. 32 para. (1) lit. b) and d) in conjunction with art. 32 para. (2) of the General Data Protection Regulation.

As such, the operator was fined 14,925.6 lei, the equivalent of 3,000 EURO.

The sanction was applied as a result of a notification claiming a possible violation of the security of personal data on the website of the operator Mensajero SRL.

During the investigation, it was found that the breach of data processing security occurred by accessing a link that displayed a list of numerous downloadable files that mostly contained invoices and warranty certificates for the products purchased by the operator's customers.

This situation led to the unauthorized disclosure of personal data of the operator's customers (natural and legal persons), such as: name, surname, address, e-mail address, no. and invoice date, purchased products and their value.

Thus, the operator Mensajero SRL was fined for violating the provisions of art. 32 para. (1) lit. b) and d) in conjunction with art. 32 para. (2) of the General Data Protection Regulation, as it did not implement adequate technical and organizational measures to ensure a level of security corresponding to the processing risk.

Legal and Communication Department