On July 7 2022, the Romanian DPA announced it sanctioned a software company with two fines amounting in total to EUR 4,000 for non-compliance with the obligation to ensure data confidentiality, as well as failure to comply with the DPA`s request for information.
During the investigation, the Romanian DPA found that the controller failed to implement adequate technical and organizational measures to ensure a level of security appropriate to the processing by making publicly available on its website documents (such as invoices issued by the company to its customers and AWBs-transport documents). This led to a loss of confidentiality of the personal data of the controller`s customers consisting of name, surname, sender and recipient address, telephone number, username and password, e-mail addresses.
Therefore, the company was sanctioned as follows:
- with a fine of 1000 EURO, as the controller did not provide the information requested by the Authority;
- with a fine of 3000 EURO, as the controller did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk.
The press release is available here (only in Romanian).