RGPD
The data breach suffered by NTT Data Romania, sanctioned by the National Authority for the Supervision of Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, ANSPDCP), underlines the crucial importance of protecting personal data in the context of growing cyberattacks. Indeed, the breac
Reading time:
5 min
The data breach suffered by NTT Data Romania, sanctioned by the National Authority for the Supervision of Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, ANSPDCP), underlines the crucial importance of protecting personal data in the context of growing cyberattacks. Indeed, the breach of data security rules, as provided for in Article 32 of the GDPR, is not merely an administrative formality, but a major issue for ensuring the confidentiality and security of personal information.
This case, resulting from a cyberattack that led to unauthorized access to client data, highlights not only the obligations of companies regarding IT security, but also the financial and legal consequences they may face in the event of non-compliance with the regulation. In order to better understand the issues raised by this disastrous situation, we will examine the security measures that should have been implemented by NTT Data Romania, the notification procedures in the event of a data breach provided for by the GDPR, as well as the resulting repercussions for companies.
If you wish to engage a lawyer in personal data law, contact me!
In the context of the NTT Data Romania incident, it is imperative to consider the technical and organizational security measures that could have prevented this regrettable incident. Pursuant to Article 32 of the GDPR, every data controller must implement adequate measures to ensure a level of security appropriate to the risk. This article particularly emphasizes the importance of the confidentiality and integrity of personal data, aspects that were neglected in this specific case.
The means of preventing such breaches include in particular the adoption of sophisticated encryption technologies, training employees in best practices regarding IT security, as well as the implementation of effective intrusion detection systems. It would also have been wise for NTT Data Romania to carry out regular risk assessments and to perform vulnerability tests in order to ensure the robustness of their IT infrastructure. Moreover, according to Article 32(2) of the GDPR, it is stated that the measures must be regularly tested and updated, which, evidently, was not done in this case.
By failing to establish these measures, the company exposed itself not only to unauthorized access to sensitive data but also to financial sanctions, such as the administrative fine confirmed by the ANSPDCP. This account highlights the crucial importance of a proactive approach to data security in the context of the operations of a modern company. The issues relating to database law are at the heart of these problems.
This observation raises the question of the steps to follow in order to guarantee the parties concerned an adequate handling in the event of a data breach.
Let's discuss your needs over 15 min!
Following the NTT Data Romania incident, it becomes essential to explore the notification procedure in the event of a personal data breach, as described in the GDPR. Article 33 of the GDPR provides that when a personal data breach occurs, the data controller must notify the competent data protection authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach.
This notification obligation is crucial in a context where transparency and consumer trust are paramount. Indeed, by promptly informing the National Authority for the Supervision of Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, ANSPDCP), NTT Data Romania could have mitigated the harmful consequences of such a breach. The absence of prompt notification could lead to additional sanctions for the company, such as a higher fine under Article 83 of the GDPR.
It is also important to note that Article 34 of the GDPR requires that, when the breach is likely to result in a high risk to the rights and freedoms of the data subjects, they must be informed in a clear and comprehensible manner. This includes information on the nature of the breach, the potential consequences as well as the measures taken to remedy the situation. Companies must be able to rely on the expertise of a specialized CNIL lawyer to handle these complex situations.
The handling of the breaches suffered by NTT Data Romania illustrates not only the importance of a rigorous notification procedure, but also raises questions about the legal and financial implications of a GDPR breach.
I want reliable legal documents!
The consequences of a GDPR breach, as the case of NTT Data Romania shows, can be both financial and legal, and seriously affect a company's reputation. The fine imposed by the National Authority for the Supervision of Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, ANSPDCP) was 124,432.50 Romanian lei, or approximately 25,000 euros, due to non-compliance with Articles 32 and 33 of the GDPR. This sanction clearly illustrates the importance for companies of complying with data security obligations.
On the financial level, financial penalties can become very significant. Article 83 of the GDPR provides that fines can reach up to 4% of the company's annual worldwide turnover, which represents a major issue for companies, particularly those operating on an international scale. In the event of manifest negligence, such as a failure to notify breaches within 72 hours, as noted in the NTT Data incident, the sanctions can be aggravated.
Legally, a company may face claims from affected individuals, who may bring legal actions to obtain damages in the event of harm caused by the unlawful processing of their personal data. This may also lead to a poor relationship with the regulatory authorities and a loss of client trust, essential for the company's sustainability.
This observation highlights the imperative need for companies to implement robust data protection strategies and to comply strictly with the regulations in force. Managing the consequences of a breach is crucial in order to avoid such disastrous outcomes, an issue that must remain at the heart of company managers' priorities.
To learn more
NTT Data Romania was sanctioned by the Romanian data protection authority (ANSPDCP) following a cyberattack that led to unauthorized access to client data. The sanction is based on a breach of the data security rules provided for in Article 32 of the GDPR.
Article 32 of the GDPR requires companies to implement appropriate technical and organizational measures to ensure the security of personal data. Non-compliance with this obligation, as in the NTT Data Romania case, exposes a company to financial and legal sanctions.
Yes. Suffering a cyberattack does not exonerate the company if the security measures were insufficient. In the NTT Data Romania case, the unauthorized access to data revealed breaches of Article 32 of the GDPR, which justified the supervisory authority's sanction.
The company should have deployed technical and organizational measures appropriate to the risks: access protection, encryption, monitoring and suitable procedures. The insufficiency of these measures in the face of the cyberattack characterized the breach of Article 32 of the GDPR.
The GDPR requires notifying the data breach to the supervisory authority within the prescribed time limits and, where applicable, informing the data subjects. Compliance with these notification procedures is part of the obligations the breach of which can aggravate the legal consequences.
Non-compliance with the GDPR security rules exposes the company to financial sanctions imposed by the supervisory authority, as illustrated by the ANSPDCP decision. Added to this are legal repercussions and damage to the trust of clients whose data has been compromised.
Prevention involves implementing security measures suited to the risks, continuous monitoring, incident response procedures and the documentation of compliance. Anticipating Article 32 of the GDPR reduces exposure to sanctions in the event of a cyberattack.
A data protection lawyer helps manage the notification of the breach, assess the compliance of the security measures and engage with the supervisory authority. This support limits the legal and financial consequences of a security incident.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin