The Romanian DPA has shown a particular interest in cases where companies failed to ensure that their employees and collaborators process data only upon their request. At least 8 GDPR-related fines have been applied by DPA in similar cases until now. The fines are normally ranging between EUR 1,500 and EUR 5,000, but there were also cases when the amounts of fines significantly exceeded this threshold.
The latest such fine was announced on 26 November 2021. In its statement, the Romanian DPA reported sanctioning a company in the business process outsourcing industry with a EUR 2,000 fine for failure to ensure an appropriate level of security of personal data.
The DPA launched its investigation following the receipt of a data breach notification from a controller. According to the notification form, a call center employee of the sanctioned company (acting in its capacity of processor) had accidentally sent to a client of the controller an Excel file containing the personal data of the controller’s Internet Banking clients.
Further, the Romanian DPA found the sanctioned company, acting as a processor, did not implement appropriate technical and organizational measures to ensure that any natural person acting under its authority and having access to personal data only processes said data at its request, which led to unlawful access or disclosure of 11,169 individuals’ personal data, including e-mail address, username, user’s personal numerical code (“CNP” in Romanian), telephone number, name, client code, and client’s PIN.
Consequently, the Romanian DPA concluded that the said processor failed to comply with both GDPR Article 29 (Processing under the authority of the controller or processor) and Article 32 (Security of processing).
The press release is available here (only in Romanian).
