← All articles

consultant

UniCredit Romania: €12k GDPR fine — preventing misdirected emails

On 29 May 2026, Romania’s ANSPDCP fined UniCredit Bank SA for security shortcomings (Art. 32) and late breach notification (Art. 33) after mailings to wrong recipients. Here is practical DLP that prevents this and evidences compliance.

Excerpt. On 29 May 2026, Romania’s ANSPDCP fined UniCredit Bank SA for lacking security measures (Art. 32) and late notification (Art. 33) after mailings went to wrong recipients. Here is practical DLP that prevents this — and evidences compliance.

The facts

On 29 May 2026, the Romanian data protection authority (ANSPDCP) imposed two fines totaling 62,714 lei (~€12,000) on UniCredit Bank SA. Findings: insufficient technical and organizational measures under GDPR Article 32 (€10,000) and late notification of a personal data breach under Article 33 (€2,000). The incident stemmed from manual processing errors: client information (name, address, mortgage‑related elements) was sent to wrong recipients, causing unauthorized disclosure and delayed notification to the authority. Sources: newswire AGERPRES, summary GDPR Enforcement Tracker, and analysis The DPO.

This case reflects a common European reality: a breach needs neither a sophisticated hack nor ransomware; a misdirected recipient in a mail‑merge, a CSV export sent to the wrong partner, or a poorly anonymized attachment suffices to constitute a data breach — and to trigger strict 72‑hour obligations.

The applicable legal framework

GDPR Article 32 — Security of processing. Controllers must implement “appropriate” technical and organizational measures, considering state of the art and risks, to prevent unauthorized disclosure or unauthorized access to personal data. Reference: EUR‑Lex – Regulation 2016/679 (Art. 32). Luxembourg’s CNPD points to this text as the national reference: CNPD – GDPR. For an operational view, also see our GDPR page.

GDPR Article 33 — 72‑hour notification. In the event of a personal data breach, notify without undue delay and, where feasible, no later than 72 hours after becoming aware, unless the risk is “unlikely.” Late notifications must be justified. References: EUR‑Lex – Art. 33, EDPB breach notification guidance Guidelines 9/2022.

For NIS 2 entities in Luxembourg, these duties coexist with the ILR’s 24‑hour initial alert (the fine discussed here falls under the GDPR). Robust detection and logging remain central to meet deadlines regardless of the regime.

The technical answer to deploy: modern DLP by design

DLP (Data Loss Prevention) aims to block exfiltration or inappropriate sending of sensitive data via email, web, devices, or SaaS. Concretely, modern DLP delivers:

  • Data classification and labeling (automatic and assisted): detection of personal fields (identity, IBAN, health, HR), regex templates and business dictionaries, “Internal | Confidential | Personal” labels applied to the source document.
  • Egress controls on risky channels: email (recipient verification, compliance auto‑Bcc, misdirected‑recipient prevention, automatic S/MIME or portal encryption), web/SaaS (blocking unauthorized uploads, tokenization), print/USB (block or log the event).
  • Contextual policies: double confirmation when an email leaves the EU with data labeled “Personal”, dynamic masking or column redaction, delegated approval for bulk sends.
  • Traceability and evidence: tamper‑evident logs, timestamps, proportionate retention for Article 33(5) (internal breach register), exportable evidence for the authority.
  • SOC/SIEM integration: each DLP block, bypass, or incident raises a correlated event and a 24/7 alert — supported by our managed SOC.

Good practice references: ISO/IEC 27001:2022 Annex A.8.12 Data leakage prevention and A.8.10 Information deletion, NIST CSF 2.0 (PR.DS‑exfiltration), CIS Controls v8 (Control 3, 13). For transfers, DLP/CASB with geographic scoping and geo‑fencing helps demonstrate control over international flows (GDPR Arts. 44‑49), especially where non‑EU cloud services are involved.

How Luxgap deploys this

  • Our ISO 27001 governance: privacy‑by‑design framing and risk analysis; flow mapping, classification, data mapping, DLP policies aligned to Annex A. We act as Lead Implementer/Auditor to translate Article 32 into verifiable controls: DLP rules, thresholds, exceptions, and evidence.
  • Our 24/7 managed SOC: DLP‑to‑SIEM onboarding, “misdirected recipient” use cases, correlations with email gateways and M365/Google; escalation and auto‑containment playbooks (recall/retract message, block attachment, post‑send encryption when feasible).
  • Our fractional DPO and CISO consultants: proven “72‑hour” process: risk qualification (EDPB 9/2022), decision to notify under Art. 33, draft notice to the authority (CNPD/CNIL, etc.), Article 33(5) register, and, if needed, Article 34 communication. To outsource the role, see our external DPO.

Concrete case in Luxembourg or the EU

A NIS 2‑subject fiduciary deployed in six weeks: 1) automatic classification of accounting exports (IBAN, tax IDs), 2) email DLP “anti‑misdirected‑recipient” (out‑of‑domain double check + auto encryption), 3) block uploads to non‑approved storages, 4) Article 33(5) register and 72‑hour playbook. Result: three erroneous sends were prevented upstream (user alert led to re‑addressing); one near‑miss triggered a SOC alert, enabling assessment within 2 hours and a documented “unlikely risk” non‑notification decision, with evidence ready for audit.

First concrete steps

  1. Map outbound flows (email, web, SaaS, SFTP) and label critical datasets: HR, customers, health, finance. Prioritize where a “wrong recipient” would cause the most harm.
  2. Enable email DLP focused on misdirected sends: named recipient verification, out‑of‑domain warning banner, double confirmation for external groups, auto encryption based on label.
  3. Pair DLP with your email gateway (SPF/DKIM/DMARC in place): enforce automatic column redaction in attachments and forbid external sending of unencrypted CSVs.
  4. Integrate DLP with SIEM/SOC: create a priority alert “potential personal data exposure” with a 72‑hour runbook triggering qualification, the Art. 33(5) log, and the notification decision.
  5. Test quarterly: table‑top “erroneous send” drills with timed SLAs (T0 → T+72h), evidence pulled from DLP/SIEM logs, and notification templates ready.

Official sources

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →