In today’s digital environment, data breaches are not a matter of if, but when. Companies that collect, store, or process personal data must respond swiftly and lawfully when a breach occurs. The General Data Protection Regulation (GDPR) imposes strict obligations on organisations for breach notification, investigation, and mitigation.
This article outlines the key legal responsibilities Romanian businesses face after a data breach and the practical steps they must take to comply with EU and national data protection laws.
What is a data breach under Romanian and EU law?
Article 4(12) of the GDPR defines a data breach as any incident that causes the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Examples of data breaches include:
- Cyberattacks that expose customer data
- Lost or stolen devices containing unencrypted data
- Accidentally sending personal information to the wrong recipient
- Employees misusing personal data internally
In Romania, the National Supervisory Authority for Personal Data Processing (ANSPDCP) enforces GDPR compliance and manages breach reports.
Legal obligations after a data breach
Once a business identifies a personal data breach, it must meet several immediate and ongoing legal obligations.
Notification to the ANSPDCP
Article 33 of the GDPR requires businesses to notify the ANSPDCP within 72 hours of discovering a breach—unless the breach poses no risk to individuals’ rights and freedoms.
This notification must describe the nature of the breach, the categories of affected data, and the estimated number of individuals involved. It must also explain the potential consequences and outline the measures taken or planned to mitigate harm and prevent future incidents.
Missing the 72-hour deadline can result in fines of up to €10 million or 2% of the company’s global annual turnover, whichever is higher.
Notification to affected data subjects
If the breach presents a high risk to individuals—such as identity theft, financial loss, or personal harm—businesses must notify those affected without undue delay under Article 34 of the GDPR.
This notice must use clear and accessible language. It should explain the breach, the potential risks, and what steps individuals can take to protect themselves. The business must also describe the measures taken to contain the breach and reduce its impact.
Internal response strategy in a data breach
Responding to a data breach involves more than just timely notifications. Companies must quickly contain the incident by securing affected systems and blocking further unauthorised access.
At the same time, an internal investigation must determine how the breach occurred, whether it continues, and which data it impacted. Businesses must thoroughly document every action, regardless of whether the GDPR requires a notification.
Involving legal counsel and IT experts ensures both legal and technical issues are addressed. After the response, companies should update security protocols, train employees, and revise response procedures. These steps reduce future risks and demonstrate accountability to regulators.
Risk mitigation and compliance strategy
Beyond individual breaches, companies must create a strong privacy and security framework. Romanian organisations should:
- Conduct regular data protection impact assessments (DPIAs)
- Apply privacy-by-design principles to systems and software
- Establish clear incident response policies
- Train staff on GDPR principles and internal data rules
For businesses in high-risk sectors like finance, healthcare, or technology, proactive compliance can limit liability and reduce regulatory pressure.
Regulatory enforcement and sanctions in Romania
The ANSPDCP has become increasingly proactive in investigating data breaches and applying sanctions where companies fail to meet their obligations under the GDPR. Romanian businesses have been subject to enforcement actions for a range of non-compliance issues, including delays in reporting breaches within the required timeframe, failure to implement adequate data encryption measures, unlawful or insufficiently justified employee monitoring practices, and the lack of complete and up-to-date records of data processing activities.
While financial penalties are often the most visible consequence—sometimes reaching millions of euros—regulatory enforcement can also cause significant reputational harm, disrupt business operations, and lead to a loss of customer trust.
Conclusion: being prepared is your best defence
Data breaches are inevitable, but non-compliance is not. Romanian businesses must take a proactive approach to GDPR compliance, ensuring that they are prepared to respond within the legal timeframe, protect affected individuals, and demonstrate accountability to regulators.
A well-prepared response plan—backed by legal, technical, and operational safeguards—is essential to minimise exposure and protect both company assets and customer trust.