New sanctions imposed by the Romanian DPA on a medical service provider for several GDPR breaches


On 24 August 2021, the Romanian DPA announced two fines imposed against a medical service provider for failure to ensure data security and to notify a data breach. Additionally, the DPA issued a warning against the same for noncompliance with the transparency principle and data subjects’ right of access.

One fine amounted to EUR 2,000 and was imposed for failure to implement appropriate technical and organizational measures ensuring the security of personal data when using a processor. The other fine amounted to EUR 1,000 and was imposed for not notifying the data breach to the DPA.

The investigation was launched following the receipt of the affected data subject’s complaint after being informed by the said medical service provider about the loss of a package containing his/her biological samples and a sum of money sent through a courier company. Afterward, the controller failed to provide the information expressly requested by the affected data subject under the right of access.

In addition, the Romanian DPA ordered the controller to implement technical and organizational measures to ensure a level of security appropriate to the risk, including with respect to its processors, as well as to respond to the affected data subject’s access request.

The full press release is available here (only in Romanian).