On 24 November 2020, the Romanian DPA announced a fine of EUR 5,000 was imposed against a controller in the e-commerce sector for failure to ensure the security of data. The investigation was carried out following a complaint alleging that several details regarding the transactions and customers, including minors, were available on the controller’s website.
During the investigation, the DPA concluded that the data breach occurred due to the fact that the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, which led to the disclosure and unauthorized access to personal data of a number of approximately 1091 individuals who had placed orders on the controller’s website.
At the same time, a warning was issued because the controller did not notify the data breach with the DPA, and a corrective measure was applied to review and update the technical and organizational measures implemented so as to avoid similar incidents.
The full press release is available here (only in Romanian).