On 10 February 2021, the Romanian DPA announced a fine of EUR 1,000 was imposed against a bank for failure to implement sufficient technical and organizational measures, which led to a breach of confidentiality.
During the investigation following a data breach notification submitted by the said bank, the Romanian DPA found that the bank had transmitted to a partner contracted for issuing insurance policies, on two different dates, some files containing outdated personal data of 270 individuals, without complying with the established working procedure.
Interesting is that the Romanian DPA considered the bank failed to comply with both GDPR Article 29 (Processing under the authority of the controller or processor) and Article 32 (Security of processing).
The press release is available here (only in Romanian).