On November 27, 2025, the Romanian DPA wrapped up an investigation into a data controller operating in the capacity of a chartered accountant. The DPA found that the controller had violated Article 32(1)(b) and Article 32(2) of the GDPR and, consequently, the controller received an administrative fine amounting to RON equivalent to EUR 2,000.
The investigation was launched after the controller submitted a data breach notification. During the inquiry, the DPA found that, following a cyberattack, the attacker both accessed and restricted the controller’s access to its own IT infrastructure.
This incident led to the unauthorized disclosure and access to personal data belonging to a significant number of data subjects, including name, national identification number, address, telephone number, email address, as well as specific financial and accounting information, such as bank statements, invoicing documents, and tax declarations.
The investigation further revealed that the controller had not implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks posed by the processing activities.
The press release is available here (Romanian language only).
