Electricity provider sanctioned by the Romanian DPA for failure to ensure data security


On 1 November 2021, the Romanian DPA announced it sanctioned an electricity provider with a EUR 5,000 fine for failure to ensure an appropriate level of security of personal data. Additionally, the DPA issued a warning against the same for noncompliance with the lawfulness requirement.

The investigation was launched following the receipt of several data breach notifications from the electricity provider. Further, the Romanian DPA concluded the provider did not implement appropriate technical and organizational measures to ensure the security of the processing, which led to unlawful access or disclosure of 325 individuals’ personal data to unauthorized recipients.

Additionally, the DPA found that the electricity provider processed 3 customers’ personal data after they had exercised their right to erasure and withdrawn their consent for data processing, thus lacking any of the legal grounds provided by Article 6 (1) of the GDPR.

Moreover, the Romanian DPA imposed corrective measures ordering the electricity provider (i) to review and amend its technical and organizational measures, and (ii) to identify and implement measures ensuring data accuracy, including record-keeping of requests for erasure of personal data.

The press release is available here (only in Romanian).