Dt: Created page with “{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=04.02.2026 |ECLI= |Original_Source_Name_1=ANSPDCP |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_04_02_2026&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language…”
|Jurisdiction=Romania
|DPA-BG-Color=background-color:#ffffff;
|DPAlogo=LogoRO.jpg
|DPA_Abbrevation=ANSPDCP
|DPA_With_Country=ANSPDCP (Romania)
|Case_Number_Name=04.02.2026
|ECLI=
|Original_Source_Name_1=ANSPDCP
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_04_02_2026&lang=ro
|Original_Source_Language_1=Romanian
|Original_Source_Language__Code_1=RO
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Investigation
|Outcome=Violation Found
|Date_Started=
|Date_Decided=
|Date_Published=04.02.2026
|Year=
|Fine=50,899
|Currency=RON
|GDPR_Article_1=Article 32(1)(b) GDPR
|GDPR_Article_Link_1=Article 32 GDPR#1b
|GDPR_Article_2=Article 32(2) GDPR
|GDPR_Article_Link_2=Article 32 GDPR#2
|GDPR_Article_3=
|GDPR_Article_Link_3=
|GDPR_Article_4=
|GDPR_Article_Link_4=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=Genpact Romania SRL
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Initial_Contributor=
|
}}
The DPA fined a company RON 50,899 (€10,000) for failing to implement appropriate security measures following a data breach disclosing the personal data of a significant number of employees.
== English Summary ==
=== Facts ===
The Romanian DPA (ANSPDCP) launched an investigation into Genpact Romania SRL (the controller) following a notification made by the controller regarding a data breach.
The attack exploited the vulnerability of passwords and reset options, leading to a data breach disclosing personal data of employees.
=== Holding ===
The DPA found that the controller failed to implement appropriate technical and organisational measures for ensuring a level of security adequate to the risk of personal data processing. It established that the controller breached [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]] and [[Article 32 GDPR#2|Article 32(2) GDPR]].
Therefore, the DPA fined the controller RON 50,899 (€10,000).
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
<pre>
04.02.2026
Sanction – cross-border processing
The National Supervisory Authority for Personal Data Processing completed, in December 2025, an investigation at the operator GENPACT ROMANIA SRL and found a violation of the provisions of art. 32 para. (1) let. b) and para. (2) of Regulation (EU) 679/2016.
As such, the operator was sanctioned with a fine in the amount of 50,899 lei, equivalent to the amount of 10,000 EURO.
In the present case, given that the main office of GENPACT ROMANIA SRL is in Romania, the National Supervisory Authority for the Processing of Personal Data had the role of supervisory authority of the main office of the controller, competent to act as lead authority for cross-border processing carried out by GENPACT ROMANIA SRL in accordance with the procedure provided for in Article 60 of Regulation (EU) 679/2016.
The investigation was initiated following the transmission by the controller of a personal data breach notification under the General Data Protection Regulation.
Thus, GENPACT ROMANIA SRL notified a personal data breach, consisting of unauthorized access to personal data through a cyber attack, of a significant number of the controller’s users.
During the investigation, the National Supervisory Authority for Personal Data Processing found that GENPACT ROMANIA SRL did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing, generated in particular, accidentally or unlawfully, by the destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data.
This led to the unauthorized disclosure of personal data (employee name, internal employee number, office email, department, internal title, address of the Genpact office where they work, date of creation of the employee’s account, country code) of a significant number of data subjects at EU level, through a cyber attack carried out by exploiting the vulnerability of some passwords and the method of resetting the authentication of a compromised user account.
The National Supervisory Authority assessed that the circumstances of the above-mentioned case present a degree of seriousness that requires the application of a fine sanction against the operator, in relation to the criteria for individualizing fines provided for in art. 83 of Regulation (EU) 679/2016.
We specify that the operator paid the minor offence fine applied.
Legal and Communication Department
A.N.S.P.D.C.P.
</pre>