The National Supervisory Authority for Personal Data Processing has fined Renault România €125,000 following an investigation completed in March 2026 into a data security breach, under the General Data Protection Regulation.
Personal data exposed
The investigation was initiated after the company notified the authority, in accordance with GDPR requirements.
Read also: Italian Competition Authority investigates Sephora and Benefit Cosmetics over marketing to minors
According to ANSPDCP, the incident involved a cyberattack targeting an application managed by a third party, leading to unauthorized access and disclosure of personal data belonging to a large number of individuals.
The compromised data included names, phone numbers, email addresses, home addresses, national identification numbers, ID details, driver’s license data, as well as professional and technical information such as vehicle identification numbers.
GDPR compliance failures
The authority found that Renault România failed to implement adequate technical and organizational measures to ensure data protection.
Key issues included insufficient safeguards for system confidentiality and lack of regular testing and evaluation of security measures.
Third-party risk management issues
The company also failed to ensure that the third-party service provider offered sufficient guarantees for data security, breaching GDPR requirements related to data processors.
Sanctions applied
As a result, ANSPDCP imposed the fine for violations of key GDPR provisions concerning data security and accountability in third-party relationships.
Photo: Business Review
UK
IT
ES
DE
FR
RO
PT
HU
