From GDPRhub
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 06.07.2020
Published: 27.07.2020
Fine: 24182.50 RON
Parties: SC Cntar Tarom SA
National Case Number/Name: SC CNTAR TAROM SA
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Isabel Hahn

Weak technical and organizational security measures at Tarom led to the unauthorized access and disclosure of the personal data belonging to five passengers. The National Supervisory Authority imposed a fine of 24,182.50 lei (approx. 5,000 Euros).

English Summary


The National Supervisory Authority conducted an investigation into Tarom's security measures and found that Tarom had not implemented adequate technical and organizational measures to protect the personal data of its passengers. This led to the unauthorized access and disclosure of data belonging to five of Tarom's passengers.


Whether there had been a violation of GDPR Art.32 (security of processing).


Tarom was fined 24,182.50 lei (approx. 5,000 Euros). Tarom was required to take corrective measures, such as undertaking risk assessment procedures, reviewing and updating their security, and training its employees.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National Supervisory Authority completed on 06.07.2020 an investigation at the operator SC CNTAR TAROM SA, as a result of the transmission by the operator of a notification regarding the violation of personal data security, finding the violation of the provisions of art. 32 para. (4), art. 32 para. (1) lit. b) and par. (2) of the General Regulation on Data Protection, which led to the application of a fine in the amount of 24,182.50 lei, the equivalent of 5,000 EURO.

The breach of data security consisted in the fact that the controller did not implement adequate technical and organizational measures to ensure that any natural person acting under the authority of the controller and who has access to personal data only processes them at the request of the controller. led to the loss of confidentiality of personal data through unauthorized access to data belonging to a number of five (5) TAROM passengers, as well as to the unauthorized disclosure of their data.

The corrective measure was also applied to the operator to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including working procedures on personal data protection, and the implementation of measures. on the regular training of persons acting under its authority (employees).