Romanian DPA issues new fine for failure to ensure personal data security, including children's data


On 1 November 2021, the Romanian DPA announced it sanctioned a home furnishings retailer with a fine of EUR 1,000 for failure to ensure an appropriate level of security of personal data.

The DPA launched its investigation following the receipt of a data breach notification from the retailer and found that the said breach led to unlawful disclosure of personal data belonging to 114 individuals (including children) for approximately 40 hours on a platform dedicated to loyalty members. The disclosed personal data included name, surname, and age of children, as well as name, surname, city, country, e-mail, loyalty membership number, and the signature of their parents or legal representatives. Consequently, the Romanian DPA concluded that the retailer did not implement appropriate technical and organizational measures to ensure the security of the processing of personal data, thus breaching Article 32 of the GDPR.

In this context, the DPA emphasized that children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data.

The press release is available here (only in Romanian).