The Romanian DPA fines a retailer EUR 8,000 following a data breach


On 15 June 2023, the Romanian DPA announced a fine of EUR 8,000 applied to a retailer for violations of Art. 32 para. (1) b) and Art. 32 para. (2) and (4) of the GDPR, further to an investigation initiated following notification of a personal data breach.

Investigation showed that employees of the controller accessed the video surveillance system and registered with their cell phones the monitor on which the system was running the video recordings. The images captured were forwarded to a third person who posted them on Facebook. This incident resulted in the unlawful disclosure of data related to the image of an individual, car registration number, color, and make of the vehicle.

Thus, it was held that the controller did not implement adequate technical and organizational measures to ensure an appropriate level of security of personal data, which led to the loss of confidentiality of personal data, caused by the violation of the controller’s internal procedures.

The Romanian DPA representatives emphasized that the controller did not take measures to ensure that any natural person acting under its authority and having access to personal data does not process them unless requested to do so by the controller.

Therefore, the controller was also required to implement appropriate measures to monitor the application of the internal working procedures in place to avoid similar security incidents.

The press release is available here (only in Romanian).