ANSPDCP (Romania) - Bitdefender Srl
| ANSPDCP - Bitdefender Srl | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 30.04.2025 |
| Fine: | 47,722 RON |
| Parties: | n/a |
| National Case Number/Name: | Bitdefender Srl |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | cci |
Antivirus provider Bitdefender suffered a data breach involving customers' names and emails. The DPA fined the company RON 47,772 (€10,000) over the failure to implement appropriate security measures.
English Summary
Facts
Antivirus provider Bitdefender (the controller) suffered a breach. Due to a misconfiguration of the controller’s systems, personal data of customers were disclosed to third parties, including customers’ names and email addresses. The controller communicated the breach to the DPA.
Holding
After the investigation, the DPA held that the controller failed to implement appropriate security measures and to monitor their effectiveness. The DPA fined the controller RON 47,772 (€10,000) for violating paragraphs (1)(b)(d) and (2) of Article 32 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
30.04.2025 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed, in April 2025, an investigation at the operator BITDEFENDER SRL and found a violation of art. 32 para. (1) letter. b) and d), para. (2) of Regulation (EU) 2016/679. As such, the operator was sanctioned with a fine in the amount of 49,772 lei (equivalent to 10,000 euros). The investigation was initiated following the transmission by BITDEFENDER SRL of a notification of a personal data breach, according to the provisions of art. 33 of Regulation (EU) 2016/679. During the investigation, it was found that, due to a programming or implementation error in the update operation of the email security analysis service, a significant number of customers' personal data were disclosed to third parties. As such, it was found that the operator did not implement appropriate technical and organizational measures and did not periodically test, evaluate and assess the effectiveness of the technical and organizational measures to guarantee the security of data processing, including the ability to ensure the confidentiality, integrity, availability and continuous resilience of the processing systems and services. In this context, we specify that this situation led to the unauthorized disclosure of or unauthorized access to the personal data of a significant number of data subjects, at least, name, surname and email address. Legal and Communication Department A.N.S.P.D.C.P
