THIS SITE DOCUMENTS 198+ SYSTEMIC GDPR VIOLATIONS — ROMANIA'S CREDIT ECOSYSTEM — IMPACT DOMAIN: INJUST.SITE

INJUST.SITE

Systemic Audit of Romania's Credit Ecosystem — 198+ Documented GDPR Violations
5 Attack Axes: BC, CRC, ANSPDCP, INFODEBIT, INTERSECTION

44 CRITICAL Violations 48 HIGH-RISK Violations 198+ Total Violations 16 CJUE Questions 12 CCR Exceptions ⚠ INFODEBIT: Conflict of Interest

1The Credit Reporting Ecosystem — 5+ Interconnected Systems

A person in Romania has their financial data spread across at least 5 distinct databases, operated by different entities, without coordination and without informed consent.

┌──────────────────────────────────────────────────────────────────────────┐ │ THE CREDIT REPORTING ECOSYSTEM │ ├──────────────────────────────────────────────────────────────────────────┤ │ │ │ CRC / BNR Credit Bureau S.A. INFODEBIT │ │ BNR Reg. 4/2025 FICO 1 FICO 2 + ANAF │ │ Bank loans Loans + scoring Loans + commercial │ │ Op: BNR (public) Op: Private (banks) Op: INKASSO GROUP (!) │ │ Established: 2004 Established: 2004 Established: 2022 │ │ │ │ │ │ CIP / BNR ANAF (OPANAF 146) │ │ │ Payment incidents Tax income │ │ │ Cheques, prom. notes complete (3 yrs) │ │ │ │ │ │ │ └──────────┬───────────┘ │ │ ▼ │ │ COMMERCIAL BANK — the nodal point of the intersection │ │ Queries ALL systems. Holds the complete financial profile │ │ without the individual knowing or being able to control this. │ │ │ │ ADDED 2022: INFODEBIT — the 2nd credit bureau, owned by │ │ INKASSO GROUP (FRIO SRL — debt recovery company). │ │ The same group controls both data collection and debt recovery. │ └──────────────────────────────────────────────────────────────────────────┘

2Audit Statistics

198+
Total violations identified
44
CRITICAL violations
48
HIGH-RISK violations
19
Audits performed
5
Credit reporting systems
3
Target courts (CJUE, CCR, ECHR)
AuditSubjectViolationsCriticalSpecifics
06OPANAF 146/2022 (ANAF→banks)31518 attack paths
07CRC/BNR + Credit Bureau35412 attack paths
08Intersection ANAF ↔ CRC ↔ BC1044 attack lines
09Connected credit systems11313 corrective actions
19Infodebit & Debt Assignment (INKASSO)137Conflict of interest
04ANSPDCP (complaint procedure)142Illegal filters
10-18RNPM, AI Act, Scoring, Damages, Contracts, Criminal Record, Civil Code, Risk Grade8419Multiple

Infodebit / INKASSO GROUP — Structural Conflict of Interest

Major discovery: Romania's second credit bureau is 100% owned by a debt recovery company.

⚠ THE SAME GROUP OWNS BOTH THE CREDIT BUREAU AND THE DEBT RECOVERY FIRM

INKASSO GROUP (through FRIO SRL, controlled by Veaceslav Mîrza) simultaneously owns Infodebit (credit bureau with FICO and ANAF access) and FRIO SRL (debt recovery firm). The closed circuit: collects data → produces score → buys debts → recovers money → pressures debtors with Infodebit reporting.

LevelEntityCUIControlActivityFinancial 2025
Beneficial ownerVeaceslav MîrzaBusinessman, IT+recovery
Parent companyFRIO SRL33396476V. Mîrza (100%)Recovery software, assignment, collection, credit admin (GEO 1/2024)TO 1.77M | Profit 1.07M
SubsidiaryInfodebit46385851FRIO SRL (100%)Credit bureau, FICO, ANAF Income Report, Business scoreTO 0.41M | Loss -0.88M
CRITICAL — INF-13

Structural conflict of interest: the same group owns the credit bureau + the debt recovery firm

INKASSO GROUP simultaneously controls Infodebit (which decides who is a "bad debtor") and FRIO SRL (which buys and recovers debts). Infodebit presents itself as an "independent, objective entity" — but its real owner is a debt collector. Infodebit's website nowhere mentions Veaceslav Mîrza's name or the link to INKASSO GROUP.

The closed circuit: Infodebit collects data + ANAF income + FICO score → FRIO selects which debts to buy → FRIO pressures debtors: "Pay or we report you to Infodebit" → FRIO's profit finances Infodebit's losses → The circle closes.

Legal basis: GDPR Art. 5(1)(a) transparency, Art. 5(1)(b) purpose limitation, Competition Law 21/1996.

3Attack Axes — CJUE, CCR, Administrative Litigation

4Top 10 Violations — Maximum Priority

#ViolationAuditRiskFirst Step
1Reservation of law — OPANAF 146/2022 = order, not law06 V0CRITICALCCR constitutional exception
2Reservation of law — BNR Regulation 4/2025 = infra-legal act07 V0CRITICALCCR constitutional exception
3FICO Scoring = automated decision without Art. 2207 V2CRITICALANSPDCP complaint + CJUE
4"Captive" consent — one signature for 3 processing operations08 I2CRITICALANSPDCP complaint
5Conflict of interest — Infodebit owned by debt collector (INKASSO)19 INF-13CRITICALANSPDCP + Competition Council
6Lack of ANSPDCP prior authorisation — OPANAF 146/202206 V0bisCRITICALIllegality exception
7CNP = universal interconnection super-key09 S6CRITICALANSPDCP complaint
8ANAF health fields contaminate scoring08 I6HIGHANSPDCP complaint + CJUE
9Complete profiling without legal basis — data combination08 I1CRITICALArt. 15 request + complaint
10Lack of systemic DPIA — interconnected system08 I8HIGHANSPDCP complaint

5Essential Case Law

CourtCaseYearPrinciple Established
CJUEC-634/21 SCHUFA2023Automated scoring = Art. 22 GDPR decision. Right to human intervention.
CJUEC-26/22 SCHUFA II2023Right to erasure (Art. 17) applies to private credit agency scoring.
CJUEC-252/21 Meta Platforms2023Consent not freely given when there is a power imbalance.
CJUEC-210/16 Wirtschaftsakademie2018Joint controllers = joint liability (Art. 26 GDPR).
CJUEC-300/21 Österr. Post2023Mere fear of fraudulent use = moral damages. No minimum threshold.
ECHRS. and Marper v. UK2008Generalised, indiscriminate, long-term storage = Art. 8 violation.
ECHRRoman Zakharov v. Russia2015"Quality of law" test — the law must be accessible and foreseeable.
CCRDec. 17/20152015Banking secrecy = constitutional guarantee of Art. 26.
CCRDec. 461/20142014Data confidentiality = corollary of the right to private life.

6Optimal Attack Strategy — Sequence

STEP 1
CCR: Banking Secrecy

Constitutional exception BNR Regulation 4/2025. CCR Dec. 17/2015 — banking secrecy = constitutional guarantee. Odds 55-65%.

STEP 2
CJUE: FICO + Health Data

BC-3 (Art. 22), BC-5 (Art. 9), BC-2 (Art. 7(4)). Solid arguments, low backlash risk.

STEP 3
AI Act (post 02.08.2026)

Both FICO scores (Credit Bureau + Infodebit) = high-risk AI. Cumulative obligations.

STEP 4
ANSPDCP: Procedure Attack

Illegal filters. "Admissibility" non-existent in GDPR. Sine die extension.

STEP 5
Nuclear phase (conditional)

BC-1 + CRC-1: Act ≠ law. ONLY after victories in steps 1-4. Otherwise, ABANDON.

The full documentation is available

16 CJUE preliminary reference questions, 12 CCR constitutional exceptions, 5 CJUE questions on ANSPDCP, administrative litigation strategies, opportunity analysis and backlash prevention.

⚠ NEW: Infodebit/INKASSO Investigation — 3 attack vectors (lack of BNR authorisation, flawed FICO contract, suspicious financing) + 5 Law 544 requests ready to send.

Infodebit Details Request Documentation

7Frequently Asked Questions

What is INJUST.SITE?
It is an impact domain documenting 198+ systemic violations in Romania's credit ecosystem — a complete X-ray of the illegal interconnection of citizens' financial data between ANAF, BNR, banks, Credit Bureau and Infodebit. The project provides concrete legal tools (CJUE questions, CCR exceptions, litigation strategies) to challenge these systems.
What is Infodebit and why is it a scandal?
Infodebit is Romania's second credit bureau, established in 2022. It is 100% owned by FRIO SRL (INKASSO GROUP), a debt recovery company controlled by Veaceslav Mîrza. The same group controls both the credit bureau that decides who gets loans, and the firm that recovers debts. Infodebit has access to ANAF income data and produces FICO scores — without any specific legal framework.
How many credit reporting systems exist in Romania?
At least 5: (1) CRC/BNR — bank loans; (2) Credit Bureau S.A. — loans + FICO 1; (3) Infodebit — loans + commercial debts + FICO 2 + ANAF income; (4) CIP/BNR — payment incidents; (5) Banks' internal scoring systems. Additionally: ANAF (OPANAF 146/2022) and AEGRM/RNPM (public collateral registries).
What can I do if my data is being processed illegally?
(1) Art. 15 GDPR request to each operator (ANAF, BNR, Credit Bureau, Infodebit, the bank) — find out what data they hold; (2) ANSPDCP complaint; (3) Administrative litigation action; (4) Moral damages action (Art. 82 GDPR); (5) Referral to the Ombudsman → CCR.
What are the 3 major legal vulnerabilities of Infodebit?
(1) Lack of BNR authorisation — Infodebit operates as a credit bureau without a specific authorisation. BNR does not regulate the "credit bureau" category. CAEN 6619 does not cover scoring with legal effects (Art. 22 GDPR).
(2) Flawed FICO contract — Fair Isaac Corporation licenses FICO only to authorised credit bureaus. If Infodebit obtained the licence without being authorised, the contract is null — and all scores ever produced are null.
(3) FRIO→Infodebit financing — Infodebit has negative equity of -1.69 million RON. Losses are financed by FRIO (forced recovery). The flow of money from recovery → scoring → bank subscriptions may constitute money laundering (Law 656/2002).