On 6 March 2023, the Romanian DPA announced two new sanctions: (i) EUR 2,250 fine applied to a non-banking financial institution, and (ii) EUR 3,000 fine applied to a debt management provider.
Both investigations were launched following the receipt of the data breach notifications submitted by the controllers.
The Romanian DPA found that each of the data breaches occurred due to a ransomware attack, which resulted in unauthorized access to and the loss of the integrity and the availability of personal data (e.g., identification data, data from identity cards, addresses, telephone numbers, and account statements).
Considering the remedial measures indicated by each of the controllers, the Romanian DPA concluded that they did not implement adequate technical and organizational measures to ensure an appropriate level of security of personal data.
This is the second time the Romanian DPA has imposed fines for such data breaches. Last year, the Romanian DPA sanctioned a controller targeted by a ransomware attack for a data breach that affected the personal data related to approximately 100 data subjects. More details are available here.
The press release is available here (only in Romanian).