Romania: Data Protection Authority issued ruling on Bitdefender for GDPR violations following email security breach

On 30 April 2025, the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) concluded an investigation into Bitdefender SRL and found violations of Article 32(1)(b) and (d), as well as Article 32(2) of the General Data Protection Regulation (GDPR). As a result, the company was fined RON 49’772. The investigation was initiated following a personal data breach notification submitted by Bitdefender SRL under Article 33 of the GDPR. The breach was caused by a programming or implementation error during an update to the company’s email security analysis service, which led to the unauthorised disclosure of a significant volume of personal data, including names and email addresses, to third parties. The Authority concluded that Bitdefender SRL had failed to implement appropriate technical and organisational measures and had not carried out regular testing, evaluation, or assessment of the effectiveness of such measures.