Energy supplier fined EUR 3,000 by the Romanian DPA for data breach


On 14 March 2023, the Romanian DPA announced it sanctioned an electric energy supplier with a EUR 3,000 fine for failing to implement adequate technical and organizational measures to ensure a level of security appropriate to the processing risk.

The investigation was initiated following the receipt of a data breach notification lodged by the said controller.

During the investigation, the Romanian DPA found that the data breach occurred through unauthorized access to the controller’s e-mail server. This led to a breach of confidentiality that affected personal data such as name, surname, e-mail address, personal numerical code (“CNP” in Romanian), telephone numbers, and household addresses.

The press release is available here (only in Romanian).