Changeflow GovPing Data Protection GDPR Sanction for Roumasport S.R.L.
Priority review Enforcement Added Final

GDPR Sanction for Roumasport S.R.L.

Favicon for www.dataprotection.ro Romania ANSPDCP Press
Filed December 30th, 2025
Detected March 13th, 2026
Email

Summary

The National Supervisory Authority for Personal Data Processing in Romania has sanctioned Roumasport S.R.L. with a fine of 10,000 euros for violating GDPR provisions related to data security. The investigation followed a personal data security breach due to unauthorized access following cyberattacks.

View original document View source feed page

What changed

The National Supervisory Authority for Personal Data Processing (ANSPDCP) has issued a fine of 10,000 euros to Roumasport S.R.L. for violating Article 32 (Security of processing) and Article 24 (Responsibility of the controller) of the GDPR. The sanction was imposed after an investigation revealed that Roumasport S.R.L. failed to implement adequate technical and organizational measures to protect personal data, leading to unauthorized access to customer information, including names, contact details, purchase history, and passwords, following repeated cyberattacks.

This enforcement action highlights the critical importance of robust cybersecurity measures and adherence to GDPR's data protection principles for all controllers. Roumasport S.R.L. must ensure its security measures are appropriate to the risks, including ongoing confidentiality, integrity, availability, and resilience of its processing systems. Failure to comply with GDPR requirements can result in significant financial penalties, as demonstrated by this case.

What to do next

  1. Review and update technical and organizational measures to ensure GDPR compliance, particularly regarding data security and breach prevention.
  2. Assess and enhance cybersecurity protocols to protect against unauthorized access and cyberattacks.
  3. Ensure demonstration of compliance with GDPR Article 24, including regular review and updating of processing security measures.

Penalties

Fine of 50,920 lei (equivalent to 10,000 euros)

Source document (simplified)

30.12.2025

Sanction for infringing the GDPR

The National Supervisory Authority for Personal Data Processing completed, in December 2025, an investigation at the controller Roumasport S.R.L. and found a violation of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) in conjunction with Article 24 paragraph (1) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 50,920 lei (the equivalent of 10,000 euros).

The investigation was initiated following the transmission by the controller Roumasport S.R.L of notifications of personal data security breaches, in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.

During the investigation, it was found that, following repeated cyberattacks on the IT platform owned by the controller, personal data were accessed in an unauthorized manner.

At the same time, during the investigation, it was found that the controller did not implement adequate technical and organizational measures in order to ensure a level of security appropriate to the risk presented by the processing, generated by unauthorized access to personal data transmitted, stored or otherwise processed, including the ability to ensure the confidentiality and integrity of processing systems and services, to prevent illegal access to customer accounts at the level of the platform owned by the controller.

This situation led to the unauthorized access to personal data belonging to a significant number of the controller’s customers, such as: name, surname, date of birth, gender, email address, favourite store, favourite sport, postal address, phone number, password, account number, purchase history, number of loyalty points, number of loyalty vouchers.

Thus, the controller was sanctioned with a misdemeanour fine, for violating the provisions of Article 32 paragraph (1) letter b) and paragraph (2) in conjunction with Article 24 paragraph (1) of Regulation (EU) 679/2016.

“ *Article 32 Security of processing*

(1) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(…) *b)** the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (…)*

(2) In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

“ *Article 24 Responsibility of the controller***

(1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”

Legal and Communication Department

A.N.S.P.D.C.P

Related changes

Favicon for www.gov.uk Export Licence Transmission Issue Resolved
Routine Mar 14, 2026 ECJU Notices to Exporters Trade & Export
Favicon for www.gov.uk Humanitarian Assistance Exception Notification for Petroleum Products
Priority review Mar 13, 2026 OFSI All Publications Trade & Export
Favicon for www.apra.gov.au APRA Releases Quarterly ADI Statistics for December 2025
Routine Mar 13, 2026 news-and-publications Government
Favicon for www.priv.gc.ca Privacy Commissioner concludes Loblaw loyalty program investigation
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Global Data Protection Authorities Statement on AI Imagery Privacy
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Privacy Commissioner Recommends Bill C-4 Amendments for Political Party Privacy
Priority review Mar 13, 2026 Canada OPC News & Actions Government

Source

Favicon for www.dataprotection.ro
Romania ANSPDCP Press dataprotection.ro/?page=Comunicate_de_presa&lang=en
Data Protection
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various
Filed
December 30th, 2025
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Retailers
Geographic scope
EU-wide

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Topics
Cybersecurity Enforcement Actions

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Data Protection alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when Romania ANSPDCP Press publishes new changes.

Free. Unsubscribe anytime.