The Romanian DPA fines an online pharmacy EUR 2,500 following a data breach


On 27 June 2023, the Romanian DPA announced a fine of EUR 2,500 applied to an online pharmacy for violations of Art. 32 para. (1) b) and d), and Art. 32 para. (2) of the GDPR, further to an investigation initiated in response to a data breach notification submitted by the sanctioned controller.

During the investigation, it was found that the data breach occurred through the unauthorized installation of a malware program on the controller’s website. This led to a breach of the confidentiality of the banking data of a significant number of customers due to the unauthorized installation of a fictitious banking data collection form on the controller’s website.

The Romanian DPA concluded that the controller did not implement adequate technical and organizational measures to ensure an appropriate level of security.

A corrective measure was also applied, the controller being ordered to implement a plan that integrates a mechanism for regular testing, scanning, evaluating, and assessing the security of all the controller’s IT systems, including its website.

The press release is available here (only in Romanian).