Investigation Overview
In April 2025, the Romanian Data Protection Authority (ANSPDCP) finalized an investigation into ACCOUNTING & AUDIT CONSULTING SRL, following a personal data breach notification submitted under Article 33 GDPR.
The authority found a violation of Article 32 (1) and (2) GDPR and imposed a fine of 24,887 RON (approximately €5,000).
What happened
Unauthorized individuals gained illegal access to personal data belonging to employees of the operator’s clients.
The compromised data included:
- full name
- personal identification number
- home address
- job position
- salary and financial details
This type of data involves a high risk, particularly regarding identity theft and financial misuse.
Identified deficiencies
The authority concluded that the operator failed to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Specifically, the operator failed to prevent:
- unauthorized access
- unauthorized disclosure
- alteration or loss of data
This reflects both technical and organizational shortcomings.
Corrective measures
Under Article 58(2)(d) GDPR, the authority imposed corrective measures, including:
- periodic verification of internal procedures
- regular staff training
- increased awareness of data processing risks
Real impact
Beyond the financial penalty, such incidents may lead to:
- reputational damage
- loss of client trust
- legal exposure
- further regulatory scrutiny
Key lessons
Operators should implement:
- role-based access control
- multi-factor authentication
- data encryption
- logging and monitoring
- regular staff training
- periodic security assessments
Conclusion
This case highlights that inadequate security measures inevitably lead to breaches and sanctions.
Data protection must be treated as an ongoing operational priority, not a formal compliance exercise.