The Romanian DPA fines a private individual for breaching several GDPR principles


On 3 October 2022, the Romanian DPA announced two fines imposed against a private individual acting as a controller, as follows:

  • EUR 100 for non-compliance with the lawfulness, fairness, and transparency, as well as integrity and confidentiality principles, and
  • EUR 50 for failure to provide the DPA with the information requested during an investigation.

The fines were applied following an investigation initiated in response to a complaint alleging a possible violation of the security of processing by a website owned by the respective individual. Further to the investigation, the DPA concluded that the publication of personal data on this website (e.g., personal identification number – “CNP”, telephone number, ID number and series, e-mail address, bank details regarding property purchases, civil status) constitutes an unauthorized disclosure affecting 383 individuals.

Based on the available public information, this is only the third private individual sanctioned by the Romanian DPA under the GDPR.

The press release is available here (only in Romanian).