The Romanian DPA fines a telecom operator approx. EUR 1,000 for failure to ensure data security in the process of issuing invoices


On 27 May 2021, the Romanian DPA announced a fine of approximately EUR 1,000 was imposed on a telecom operator after several invoices for its clients were erroneously sent to the e-mail addresses of third parties. This led to the unauthorized access to certain personal data of the said clients, such as name, surname, telephone number, client code, and address.

The investigation was launched following the receipt of a data breach notification from the telecom operator as per Article 33 of the GDPR. Further to this, the Romanian DPA concluded the said telecom operator did not implement appropriate technical and organizational measures to ensure the security of the processing of personal data, thus breaching Article 3 (1) and (3) letters a) and b) from the Romanian Law transposing the ePrivacy Directive.

The press release is available here (only in Romanian).