On 20 June 2022, the Romanian DPA announced it sanctioned a marketing agency with a EUR 1,000 fine for failure to ensure, the confidentiality of the processed personal data.
What is important here is that the marketing agency was sanctioned in its capacity of processor. Until now, the Romanian DPA was not very eager to sanction the processors. From the publicly available sources, this seems to be only the fifth case when a processor is fined by this authority for GDPR-related non-compliances. However, it is aready the second DPA public statement in this month whereby a processor is sanctioned. It remains to be seen if we are witnessing a change of DPA approach.
The investigation was launched following the receipt of a data subject’s complaint reporting that a commercial message had been received by e-mail. This message was also addressed to other 27 data subjects without concealing their data, thus allowing unauthorised disclosure of email addresses to other recipients.
During the investigation, the Romanian DPA found that the fined company failed to comply with the GDPR provisions since, as a data processor, it had not implemented sufficient technical and organizational measures to ensure personal data confidentiality thus processed.
The press release is available here (only in Romanian).