ANSPDCP (Romania) - S.C. Marsorom S.R.L.

From GDPRhub
ANSPDCP - ANSPDCP - S.C. Marsorom S.R.L.
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(e) GDPR
Article 25 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 21.09.2020
Published: 15.10.2020
Fine: 3000 EUR
Parties: S.C. Marsorom S.R.L.
National Case Number/Name: ANSPDCP - S.C. Marsorom S.R.L.
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: n/a

The Romanian DPA (ANSPDCP) has issued a €3000 fine against a website operator who failed to prevent the unauthorised disclosure of its customers' personal data.

English Summary


The DPA conducted the investigation after being notified that on the website in question, some personal data of the website's customers were visible. If customers placed an order on the website, some of their personal data could be accessed without authorisation.


Did the website operator, in its role as data controller, take sufficient technical and organisational measures to protect the personal data of its customers? Furthermore, did the controller act in breach of the storage limitation principle?


The ANSPDCP held that the controller failed to take appropriate measures and breached the storage limitation principle enshrined in Article 5(1)(e) GDPR, and also failed to fulfill its obligation under Articles 25 and 32 GDPR.

Consequently, the DPA issued a €3000 fine and recommended the website operator to establish a shorter storage period for the personal data associated with the accounts of its customers.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.


Fine for violation of RGPD

The National Supervisory Authority completed, on 21.09.2020, an investigation at SC Marsorom SRL , finding the violation of art. 25 and art. 32 of the General Regulation on Data Protection.

The operator SC Marsorom SRL was sanctioned with a fine in the amount of 14574.9 lei, the equivalent of the amount of 3000 EURO.

The investigation took place as a result of a notification claiming that some personal data of its customers could be viewed on the operator's website.

During the investigation it was found that the operator SC Marsorom SRL violated the provisions of art. 25 and 32 of the General Data Protection Regulation as it did not adopt sufficient security measures to prevent unauthorized access and disclosure of personal data of customers who placed orders on this site.

At the same time, the operator was recommended to establish a shorter storage period of personal data related to customer accounts in order to comply with the principle of storage limitation provided by art. 5 para. (1) lit. e) of the General Regulation on Data Protection.