Bucharest Court of Appeal confirms the annulment of GDPR sanction

16.07.2026

On 8 July, 2026, a data protection-related court case involving a Romanian data controller challenging a GDPR-related sanction concluded in the company’s favor, as the Bucharest Tribunal annulled the sanction and the Bucharest Court of Appeal upheld the decision.

As background, the DPA fined the controller the RON equivalent of EUR 4,000 after customer data, including email addresses, the first and last names incorporated into those email addresses, as well as names and signatures contained in the controller’s files, were unlawfully accessed and downloaded. The investigation revealed that the password to the customer correspondence email account, administered by the controller’s processor, was shared among several of the processor’s employees, enabling unauthorized access to the account.

The investigation further established that the controller had failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, including measures to ensure the ongoing confidentiality of personal data.

Moreover, the company was required to establish an inspection and audit plan for its processor and to implement corrective measures to address the identified deficiencies and prevent similar security incidents in the future.

The ruling of the Bucharest Court of Appeal is final.

The court’s detailed reasoning for its decision is not yet available.

Statistics