The Romanian DPA issues EUR 2,000 fine for failure to ensure employee personal data confidentiality


On 7 May 2021, the Romanian DPA announced a fine of EUR 2,000 was imposed against a controller in the health & fitness sector for failure to ensure the confidentiality of one of its employee’s personal data.

The investigation was launched following the receipt of a complaint. During the investigation, the DPA found that the controller posted on its employees’ WhatsApp group a resignation request of one of its employees, thus allowing unauthorized access of all members of that WhatsApp group to the personal data of the employee who made the resignation request, including his/her address, personal numeric code, series and number of the identity card.

Therefore, the DPA concluded that the controller failed to comply with Article 32 of the GDPR (Security of processing).

As a corrective measure, the DPA ordered the controller to ensure compliance with the GDPR by implementing appropriate technical and organizational measures in case of remote transmission of personal data, including in terms of regular employees’ training. The controller must comply with this corrective measure within 30 days from the date of communication of the minutes.

The full press release is available here (only in Romanian).

For brief suggestions on how to deal with security risks while working from home, you may find helpful the article on our blog – Data Security matters, even when working from home! – Potential Risks and Key Tips.