Systemic Audit of Romania's Credit Ecosystem — 198+ Documented GDPR Violations
5 Attack Axes: BC, CRC, ANSPDCP, INFODEBIT, INTERSECTION
A person in Romania has their financial data spread across at least 5 distinct databases, operated by different entities, without coordination and without informed consent.
| Audit | Subject | Violations | Critical | Specifics |
|---|---|---|---|---|
| 06 | OPANAF 146/2022 (ANAF→banks) | 31 | 5 | 18 attack paths |
| 07 | CRC/BNR + Credit Bureau | 35 | 4 | 12 attack paths |
| 08 | Intersection ANAF ↔ CRC ↔ BC | 10 | 4 | 4 attack lines |
| 09 | Connected credit systems | 11 | 3 | 13 corrective actions |
| 19 | Infodebit & Debt Assignment (INKASSO) | 13 | 7 | Conflict of interest |
| 04 | ANSPDCP (complaint procedure) | 14 | 2 | Illegal filters |
| 10-18 | RNPM, AI Act, Scoring, Damages, Contracts, Criminal Record, Civil Code, Risk Grade | 84 | 19 | Multiple |
Major discovery: Romania's second credit bureau is 100% owned by a debt recovery company.
INKASSO GROUP (through FRIO SRL, controlled by Veaceslav Mîrza) simultaneously owns Infodebit (credit bureau with FICO and ANAF access) and FRIO SRL (debt recovery firm). The closed circuit: collects data → produces score → buys debts → recovers money → pressures debtors with Infodebit reporting.
| Level | Entity | CUI | Control | Activity | Financial 2025 |
|---|---|---|---|---|---|
| Beneficial owner | Veaceslav Mîrza | — | — | Businessman, IT+recovery | — |
| Parent company | FRIO SRL | 33396476 | V. Mîrza (100%) | Recovery software, assignment, collection, credit admin (GEO 1/2024) | TO 1.77M | Profit 1.07M |
| Subsidiary | Infodebit | 46385851 | FRIO SRL (100%) | Credit bureau, FICO, ANAF Income Report, Business score | TO 0.41M | Loss -0.88M |
INKASSO GROUP simultaneously controls Infodebit (which decides who is a "bad debtor") and FRIO SRL (which buys and recovers debts). Infodebit presents itself as an "independent, objective entity" — but its real owner is a debt collector. Infodebit's website nowhere mentions Veaceslav Mîrza's name or the link to INKASSO GROUP.
The closed circuit: Infodebit collects data + ANAF income + FICO score → FRIO selects which debts to buy → FRIO pressures debtors: "Pay or we report you to Infodebit" → FRIO's profit finances Infodebit's losses → The circle closes.
Legal basis: GDPR Art. 5(1)(a) transparency, Art. 5(1)(b) purpose limitation, Competition Law 21/1996.
13 violations (7 critical). Credit bureau owned by debt collector. Structural conflict of interest. No legal framework. ANAF access.
BC AXIS — ANAF→Banks31 violations. Tax income transfer without a law. Forced consent. Non-transparent FICO scoring (Art. 22). Health data (Art. 9).
CRC AXIS — BNR35 violations. Administrative act ≠ law. Banking secrecy (CCR Dec. 17/2015). Disproportionate 7-year retention. Double collection CRC + BC.
ANSPDCP AXIS13 violations (12 critical). Illegal filters. "Admissibility" — concept non-existent in GDPR. Sine die extension. Double procedural blockage.
| # | Violation | Audit | Risk | First Step |
|---|---|---|---|---|
| 1 | Reservation of law — OPANAF 146/2022 = order, not law | 06 V0 | CRITICAL | CCR constitutional exception |
| 2 | Reservation of law — BNR Regulation 4/2025 = infra-legal act | 07 V0 | CRITICAL | CCR constitutional exception |
| 3 | FICO Scoring = automated decision without Art. 22 | 07 V2 | CRITICAL | ANSPDCP complaint + CJUE |
| 4 | "Captive" consent — one signature for 3 processing operations | 08 I2 | CRITICAL | ANSPDCP complaint |
| 5 | Conflict of interest — Infodebit owned by debt collector (INKASSO) | 19 INF-13 | CRITICAL | ANSPDCP + Competition Council |
| 6 | Lack of ANSPDCP prior authorisation — OPANAF 146/2022 | 06 V0bis | CRITICAL | Illegality exception |
| 7 | CNP = universal interconnection super-key | 09 S6 | CRITICAL | ANSPDCP complaint |
| 8 | ANAF health fields contaminate scoring | 08 I6 | HIGH | ANSPDCP complaint + CJUE |
| 9 | Complete profiling without legal basis — data combination | 08 I1 | CRITICAL | Art. 15 request + complaint |
| 10 | Lack of systemic DPIA — interconnected system | 08 I8 | HIGH | ANSPDCP complaint |
| Court | Case | Year | Principle Established |
|---|---|---|---|
| CJUE | C-634/21 SCHUFA | 2023 | Automated scoring = Art. 22 GDPR decision. Right to human intervention. |
| CJUE | C-26/22 SCHUFA II | 2023 | Right to erasure (Art. 17) applies to private credit agency scoring. |
| CJUE | C-252/21 Meta Platforms | 2023 | Consent not freely given when there is a power imbalance. |
| CJUE | C-210/16 Wirtschaftsakademie | 2018 | Joint controllers = joint liability (Art. 26 GDPR). |
| CJUE | C-300/21 Österr. Post | 2023 | Mere fear of fraudulent use = moral damages. No minimum threshold. |
| ECHR | S. and Marper v. UK | 2008 | Generalised, indiscriminate, long-term storage = Art. 8 violation. |
| ECHR | Roman Zakharov v. Russia | 2015 | "Quality of law" test — the law must be accessible and foreseeable. |
| CCR | Dec. 17/2015 | 2015 | Banking secrecy = constitutional guarantee of Art. 26. |
| CCR | Dec. 461/2014 | 2014 | Data confidentiality = corollary of the right to private life. |
Constitutional exception BNR Regulation 4/2025. CCR Dec. 17/2015 — banking secrecy = constitutional guarantee. Odds 55-65%.
BC-3 (Art. 22), BC-5 (Art. 9), BC-2 (Art. 7(4)). Solid arguments, low backlash risk.
Both FICO scores (Credit Bureau + Infodebit) = high-risk AI. Cumulative obligations.
Illegal filters. "Admissibility" non-existent in GDPR. Sine die extension.
BC-1 + CRC-1: Act ≠ law. ONLY after victories in steps 1-4. Otherwise, ABANDON.