Water and sewage services provider fined EUR 3,000 by the Romanian DPA for unlawfully disclosing e-mail addresses


On 4 January 2023, the Romanian DPA announced it sanctioned a water and sewage services provider with a EUR 3,000 fine for failing to implement adequate technical and organizational measures to ensure a level of security appropriate to the processing risk.

The investigation was launched following the receipt of a data breach notification submitted by the said controller, and it was finalized in December 2022.

During the investigation, the Romanian DPA found that the data breach occurred by sending a message to the users registered on the controller’s online portal, mistakenly using the function “To” instead of “BCC”.

As a result, a significant number of individuals have been affected by this data breach that led to unauthorized disclosure of or access to personal data (i.e., e-mail addresses).

The press release is available here (only in Romanian).

Compared to the Romanian DPA’s previous practice in similar cases, the amount of the fine imposed in this instance is in line with the 2022 approach (e.g., another EUR 3,000 fine in this case), which represents an upward trend compared to the 2020 approach (e.g., a EUR 1,000 fine in this case).