A new fine imposed by the Romanian DPA for failure to ensure data security


On 17 December 2020, the Romanian DPA announced a fine of EUR 100,000 was imposed against a controller in the banking sector for failure to ensure the security of personal data.

During its investigation, the Romanian DPA found that a statement requested by the controller from one of its clients was disclosed on the Internet. The client’s statement referred to the way in which the client intended to use a certain amount of money that he/she wanted to withdraw from the bank account, and it was forwarded to several employees of the controller on their professional e-mail addresses. One of the employees printed the e-mail with the client’s statement, as well as the correspondence between the controller’s employees. Another employee took a photo of the printed document with his/her mobile phone and sent it through WhatsApp. Subsequently, the document was posted and distributed on social media and on a website.

This situation led to the unauthorized disclosure and access to certain personal data (name and surname, e-mail addresses, behavioral data, personal preferences, financial transaction value, work place address, position and work place, professional telephone number) relating to four data subjects (the affected client and three employees of the controller).
In establishing the amount of the fine, it appears the Romanian DPA has also taken into account the fact that the disclosure of personal data on the Internet generated several moral damages, as well as other significant economic or social disadvantages for the controller’s client.

The full press release is available here (only in Romanian).