Romania: Issued ruling in ANSPDCP investigation into Vodafone's GDPR compliance

On 28 October 2024, the National Supervisory Authority for the Processing of Personal Data in Romania (ANSPDCP) concluded an investigation into Vodafone Romania SA, identifying a breach of Article 32 of the General Data Protection Regulation (GDPR). The investigation, initiated from a complaint about the improper disclosure of email addresses in communications regarding account manager changes, revealed that Vodafone Romania SA failed to implement adequate technical and organisational measures to ensure data confidentiality. Consequently, the operator was fined RON 24’870.5 (approx. EUR 5’000). Additionally, a corrective measure was ordered to reassess security measures, focusing on employee training and compliance verification to align with the processing risk level.