On 14 May 2021, the Romanian DPA announced a fine of EUR 200 was imposed against a private individual (qualified as controller) with regard to a website that generated affidavits necessary for individuals to leave their home while the Romanian territory was under an emergency state due to the COVID-19 pandemic. The private individual was fined for noncompliance with the lawfulness, fairness and transparency, purpose limitation, and accountability principles, for not being able to prove the lawfulness and the prior information of the individuals that used the website with regard to the collection and storage of the personal data used to generate the affidavit.
Moreover, the Romanian DPA sanctioned the said controller for not taking adequate security measures ensuring the protection of the file containing the individuals’ personal data against the risks presented by the processing, in particular those arising from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
The press release is available here (only in Romanian).