MEDIA DESIGN Studio Laborator Colaborari Contact
Acceseaza programul ANTREPRENOR START pentru avantaje comerciale exclusive.
Ai nevoie de suport? Suna: +40 744 933 131

Media Design Legal

Security Breach Notification

Internal procedure for managing and notifying personal data security breaches under GDPR Art. 33-34.

1. What constitutes a personal data breach

Under GDPR Art. 4(12), a "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Breaches may affect one or more of the three information security properties:

  • Confidentiality: data accessed or disclosed without authorisation (e.g., database exfiltration, unauthorised account access);
  • Integrity: data modified or corrupted without authorisation (e.g., ransomware encrypting or altering records);
  • Availability: data destroyed or made inaccessible (e.g., accidental deletion, DDoS attack blocking access to data).

2. Obligation to notify ANSPDCP within 72 hours

Under GDPR Art. 33, in the event of a personal data breach, Media Design S.R.L. will notify the Romanian Data Protection Supervisory Authority (ANSPDCP) without undue delay and, where feasible, no later than 72 hours after becoming aware of the incident, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If notification cannot be transmitted within 72 hours, it will be sent together with the reasons for the delay.

3. Obligation to notify the data subject

Under GDPR Art. 34, where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Media Design S.R.L. will communicate the breach to the data subject without undue delay, using clear and plain language accessible to the affected person. Risk assessment is carried out according to the criteria in section 4.

4. Internal incident management procedure

Upon detection of a potential security incident, Media Design S.R.L. follows the steps below:

  1. Detection: identification of the incident through automated system alerts, internal report from a collaborator, or external notification (client, security researcher, third party);
  2. Triage: confirmation that the incident constitutes a personal data security breach (and not a technical false positive);
  3. Risk assessment (5 criteria): (a) nature and severity of possible consequences; (b) number of data subjects affected; (c) categories of data involved (sensitive data = higher risk); (d) ease with which the data can be misused; (e) whether data are encrypted or pseudonymised;
  4. Notification: activation of the obligation to notify ANSPDCP and/or data subjects as set out in sections 2 and 3 above;
  5. Documentation: recording in the internal breach register under GDPR Art. 33(5), including facts, effects and remediation measures, regardless of whether notification was required.

5. Content of the notification to ANSPDCP

Under GDPR Art. 33(3), the notification to ANSPDCP will include at least:

  • the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • the contact details of our data protection contact point (DPO or equivalent);
  • the likely consequences of the personal data breach;
  • the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

If information is not fully available within 72 hours, the initial notification will include the information available, to be supplemented without undue delay.

6. Content of the notification to the data subject

Under GDPR Art. 34, the communication to the data subject will be drafted in clear and plain language and will include:

  • a description of the nature of the personal data breach;
  • what data were affected (categories, types);
  • what we have done to remedy the situation and limit negative effects;
  • what actions we recommend the data subject take to protect themselves (e.g., changing passwords, monitoring financial transactions);
  • the contact details of our data protection contact point.

7. Exceptions to notifying the data subject

Under GDPR Art. 34(3), notification to the data subject is not required where:

  • Media Design S.R.L. has implemented appropriate technical and organisational protection measures, in particular measures that render personal data unintelligible to any person not authorised to access it, such as encryption (affected data are fully encrypted and the key was not compromised);
  • Media Design S.R.L. has taken subsequent measures that ensure the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
  • notification to each data subject would involve a disproportionate effort; in this case a public communication or similar measure will be made so that data subjects are informed equally effectively.

8. Internal breach register

Under GDPR Art. 33(5), Media Design S.R.L. documents all personal data security breaches, including those that do not require ANSPDCP notification, in an internal breach register. The register includes:

  • date and time of detection;
  • description of the facts;
  • categories and (estimated) number of data subjects and records affected;
  • likely effects and consequences;
  • remediation measures taken;
  • reasoned decision on whether to notify or not notify ANSPDCP / data subjects.

The register is retained for 5 years and made available to ANSPDCP on request.

9. How to report a suspected breach

If you suspect a data security breach or have identified a vulnerability, please contact us immediately:

In your report, include (if known): what you observed, when, which pages or features are involved, relevant screenshots or error messages. Do not actively test vulnerabilities without our prior written consent.

10. ANSPDCP contact details

The national supervisory authority can be contacted directly at:

Romanian Data Protection Supervisory Authority (ANSPDCP)
B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, Bucharest, postal code 010336, Romania
Phone: +40 318 059 211
Email: anspdcp@dataprotection.ro
Web: www.dataprotection.ro

Last updated: 1 June 2026.

Newsletter

By submitting this form your data is processed by Media Design SRL to send you our occasional newsletter + share relevant updates, on the basis of GDPR Article 6(1)(a) + Article 12 Law 506/2004 -- explicit consent, for a period of until you unsubscribe (one click in any email). Your GDPR rights + full details in our Privacy Policy.

*

Aboneaza-te la newsletter-ul nostru si fii la curent cu cele mai recente tendinte in design digital.

"Sunt aici sa preiau greutatea organizarii de pe umerii tai. Rolul meu este sa armonizez munca tuturor acestor specialisti pentru ca proiectul tau sa fie livrat la timp si la standardele promise. Iti ofer garantia unei comunicari transparente si a unui parteneriat in care nu exista surprize neplacute."
Radu Project Manager