ALĂTURĂ-TE

A €125,000 GDPR wake-up call: you don’t outsource responsibility

On 25 March 2026, Romania’s data protection authority (ANSPDCP) fined Renault Commercial Roumanie S.R.L. RON 637,262.50 (approx. €125,000) following a personal data breach affecting a large number of individuals.

The breach resulted from a cyberattack targeting an application operated by the controller but administered by a 3rd party processor. As a result, a significant volume of sensitive personal data was accessed without authorisation and later published online.

Even though the incident occurred at the processor level – and was properly reported by the controller – the fine was imposed on the controller.

 

Why was the controller fined?

The authority identified two key compliance failures.

1. Inadequate security measures (Article 32 GDPR)

The controller failed to implement appropriate technical and organisational measures to ensure a level of security proportionate to the risks involved.

Specifically, it did not ensure the confidentiality of its systems and did not regularly test or evaluate the effectiveness of its security measures.

Under the GDPR, security is not a one-time exercise. It must be assessed, tested, and adjusted on an ongoing basis.

 

2. Failure to ensure a reliable processor (Article 28 GDPR)

This is the most important takeaway from the case.

The authority concluded that the controller had not ensured that its processor provided sufficient guarantees for data protection, as required by Article 28(1) GDPR.

This obligation goes beyond signing a contract. It requires active due diligence before and during the relationship with the processor.

 

What does due diligence mean in practice?

In practical terms, controllers should:

  • assess the processor’s security measures before engagement;
  • ensure contractual safeguards reflect real technical and organisational capabilities;
  • implement audit rights that can be exercised in practice; and
  • monitor the processor’s compliance on an ongoing basis.
 

Signing a Data Processing Agreement is not enough on its own.

What should companies take away from this decision?

This case reinforces a simple but important principle: outsourcing processing does not mean outsourcing responsibility.

Controllers remain accountable not only for their own systems, but also for the processors they choose and rely on.

In that sense, vendor management is no longer just an operational issue, it is a compliance obligation.

Takeaways

Compliance is not achieved through paperwork alone.

It is achieved by ensuring, and being able to demonstrate, that your processors can actually protect the personal data entrusted to them.

Join us

Sign up for our newsletter and take the first step in joining our community! Stay updated with the latest news, events, and educational resources from the hub.

By clicking “Send,” you consent to the processing of your email address for the purpose of sending you news and updates about Legal Accelerators events. We use MailerLite as our email marketing service provider. MailerLite is an EU-based company that operates under the General Data Protection Regulation (GDPR). For further details, please see MailerLite’s Privacy Policy.You have the right to withdraw your consent at any time and we will act immediately, unless there is a legal reason or legitimate interest in not doing so. For withdrawal of consent, please contact us at contact@legalaccelerators.com.

For businesses

Start-up Mentoring
Intellectual Property
GDPR Compliance
Legal Consultancy
Digitalisation
Legal Workshops
Legal Tech Solutions
Funding Consultancy
Start-up Mentoring
Intellectual Property
GDPR Compliance
Legal Consultancy
Digitalisation
Legal Workshops
Legal Tech Solutions
Funding Consultancy

For legal

Digitalisation
Legal Tech Solutions
Legal Marketing
Events & Workshops
Digitalisation
Legal Tech Solutions
Legal Marketing
Events & Workshops

About us

Partners

Events

Conferences

News

Resources

Contact

Have a question?

ASK US

Să ne conectăm!

Facebook Linkedin Instagram