On 22 August 2022, the Romanian DPA announced imposing a fine of EUR 10,000 against an energy company for failing to implement appropriate technical and organizational measures to ensure the security of its processing in accordance with Article 32 of the GDPR.
The DPA’s investigation began after a customer of the controller reported receiving an e-mail containing another customer’s personal data and related unprotected documents. Subsequently, the DPA concluded that the controller failed to (i) explain why that e-mail was misdirected, (ii) provide evidence of remedial measures taken to mitigate the risks to the rights and freedoms of the affected data subject, and (iii) notify the said data breach to the DPA, although such circumstances entail the notification obligation as per Article 33 of the GDPR.
In addition to the fine, the Romanian DPA issued a warning for breaching the notification obligation and imposed the following corrective measures, ordering the controller to:
- implement appropriate technical and organizational security measures, throughout the whole processing cycle, in particular in terms of (i) training the individuals processing data under its authority (employees or collaborators), (ii) monitoring their compliance, (iii) automating certain processes to reduce the risks of unlawful or unauthorized processing, and (iv) early detection, management, and reporting of personal data breaches;
- request the reporting individual to take steps to delete, destroy, as appropriate, personal data accessed as a result of the misdirected e-mail;
- adopt internal measures to mitigate the risks to which the affected personal data has been exposed in order to prevent future unlawful disclosure or access to such data.
Compared to the DPA’s previous practice in similar cases, it is noteworthy that more specific measures have been imposed in order to mitigate the risks to the rights and freedoms of individuals affected by a data breach.
The press release is available here (only in Romanian).