Romania: ANSPDCP imposes fine against Vodafone Romania for breach of GDPR in telecom services

On 20 January 2025, the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) issued a ruling against Vodafone Romania for breaching Articles 32(4) and 32(1)(b) of the General Data Protection Regulation (GDPR). Vodafone was fined RON 74’526 (EUR 15’000) for failing to ensure the confidentiality of customer data, including names, personal identification numbers, and addresses. The Investigation revealed unauthorised data disclosures via invoice photos shared with third parties, non-use of BCC (blind carbon copy) in emails, and transmission of application interface screenshots through WhatsApp. The authority determined that Vodafone did not implement adequate technical and organisational measures to prevent unauthorised processing by employees or processors.