ANSPDCP (Romania) - fine against AG-BROKER ASIGURARE S.R.L
| ANSPDCP - Insurance company press release | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1)(b) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 30.05.2025 |
| Fine: | 24,887 RON |
| Parties: | AG-BROKER ASIGURARE S.R.L. |
| National Case Number/Name: | Insurance company press release |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | ap |
The DPA fined an insurance agency RON 24,887 (€5,000) for failing to implement appropriate security measures concerning its network storage equipment. This failure led to the unlawful access to customers’ personal data.
English Summary
Facts
AG-BROKER ASIGURARE S.R.L. (the controller) is an insurance agency that reported a data breach caused by a cyberattack. The attack affected a significant number of customers and a broad range of personal data (including names, birth certificates, email addresses, and phone numbers).
Holding
The DPA found that the controller had not implemented security measures on secure access to network storage equipment. This increased the risk of access to the personal data of its customers. The DPA then fined the controller for not implementing appropriate technical and organisational measures in line with the risk of processing, as stated in Article 32(1)(b) and 32(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
30.05.2025 Sanction for non-compliance with the GDPR The National Supervisory Authority for Personal Data Processing completed, in April 2025, an investigation at the operator AG-BROKER ASIGURARE S.R.L., and found a violation of the provisions of art. 32 para. (1) letter. b) and para. (2) of Regulation (EU) 2016/679. For the acts committed, the operator was fined 24,887 lei (equivalent to 5,000 euros). The investigation was initiated following the transmission by the operator AG-BROKER ASIGURARE S.R.L. of a notification regarding the breach of personal data security, according to the provisions of art. 33 of Regulation (EU) 2016/679. Thus, the operator notified that, following a cyber attack, the following categories of personal data were affected, namely CNP, name, first name, photos from identity cards of natural persons, birth certificates, driving licenses, vehicle registration certificates, email addresses and telephone numbers of a significant number of customers. During the investigation, it was found that the operator had not implemented, at the time of the cyber attack, security measures with specific requirements regarding secure access to network storage equipment that would reduce the risk of unauthorized access to the aforementioned personal data. Therefore, it was found that the operator did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing, generated in particular, accidentally or unlawfully, by the destruction, loss, alteration, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed, including the ability to ensure the confidentiality, integrity, availability and continuous resilience of the processing systems and services, which led to the unauthorized disclosure of personal data processed by the operator. Legal and Communication Department A.N.S.P.D.C.P.
