Dt: Created page with “{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=19.01.2026 |ECLI= |Original_Source_Name_1=ANSPDCP |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_19_01_2026&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language…”
|Jurisdiction=Romania
|DPA-BG-Color=background-color:#ffffff;
|DPAlogo=LogoRO.jpg
|DPA_Abbrevation=ANSPDCP
|DPA_With_Country=ANSPDCP (Romania)
|Case_Number_Name=19.01.2026
|ECLI=
|Original_Source_Name_1=ANSPDCP
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_19_01_2026&lang=ro
|Original_Source_Language_1=Romanian
|Original_Source_Language__Code_1=RO
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Investigation
|Outcome=Violation Found
|Date_Started=
|Date_Decided=
|Date_Published=19.01.2026
|Year=
|Fine=76,366
|Currency=RON
|GDPR_Article_1=Article 5(1)(c) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1c
|GDPR_Article_2=Article 5(2) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#2
|GDPR_Article_3=Article 32(1)(b) GDPR
|GDPR_Article_Link_3=Article 32 GDPR#1b
|GDPR_Article_4=Article 32(2) GDPR
|GDPR_Article_Link_4=Article 32 GDPR#2
|GDPR_Article_5=
|GDPR_Article_Link_5=
|GDPR_Article_6=
|GDPR_Article_Link_6=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=Continental Automative Products SRL
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Initial_Contributor=
|
}}
The DPA fined a company RON 25,455 (€5,000) for the internal distribution of a spreadsheet containing health-related data of current and former employees. Furthermore, the DPA fined the controller RON 50,911 (€10,000) for failing to implement sufficient security measures for its processing activities.
== English Summary ==
=== Facts ===
The Romanian DPA (ANSPDCP) launched an investigation into Continental Automative Products SRL (the controller) after a notification of a personal data breach.
The notification informed that a spreadsheet containing a list of the controller’s employees and former employees which included mentions of health-related data was distributed internally several times.
=== Holding ===
The DPA found that the controller violated the principle of data minimisation in [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], as well as the principle of accountability in [[Article 5 GDPR#2|Article 5(2) GDPR]].
Furthermore, the DPA found that the controller failed to implement sufficient technical and organisational measures to guarantee the security and resilience of processing systems, violating [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]] and [[Article 32 GDPR#2|Article 32(2) GDPR]].
Therefore, the DPA issued a fine of RON 25,455 (€5,000) to the controller for failing to adhere to the data minimisation and accountability principles, and a second fine of RON 50,911 (€10,000) for the failure to implement sufficient measures for security and resilience. Finally, the DPA ordered the controller to bring its processing into compliance.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
<pre>
19.01.2026
Sanctions for violation of the GDPR
The National Supervisory Authority for Personal Data Processing completed, in December 2025, an investigation at the operator Continental Automotive Products SRL and found a violation of the provisions of art. 5 para. (1) let. c) and para. (2) and art. 32 para. (1) let. b) and para. (2) of Regulation (EU) 2016/679.
As such, the operator was sanctioned as a contravention:
with a fine in the amount of 25,455 lei (equivalent to 5,000 EURO), for violating art. 5 para. (1) let. c) and para. (2) of Regulation (EU) 2016/679; with a fine of 50,911 lei (equivalent to 10,000 EURO), for violating art. 32 par. (1) letter b) and par. (2) of Regulation (EU) 2016/679.
The investigation was initiated following the transmission by the operator Continental Automotive Products SRL of a notification regarding the breach of personal data security, according to the provisions of art. 33 of Regulation (EU) 2016/679.
According to what was mentioned in the notification form, an excel file containing a centralizer with the operator’s employees, including medical data, was distributed internally, repeatedly.
The excel file contained data from the medical certificates of employees and former employees from a certain period of time.
The investigation also revealed that the operator had not implemented sufficient technical and organizational measures to guarantee data security and the resilience of the processing systems. This vulnerability allowed unauthorized access to a series of personal data for a significant number of employees and former employees.
Thus, a lack of responsibility was found on the part of the operator in implementing appropriate technical and organizational measures to minimize the risk of unauthorized disclosure/access to personal data.
At the same time, the operator was also ordered to take the corrective measure of implementing, within a technical and organizational procedure, all processes involving the processing of personal data, including the establishment of a monitoring and control process in order to immediately identify any incidents of personal data security breaches.
Legal and Communication Department
A.N.S.P.D.C.P
</pre>