Another controller in the banking sector sanctioned EUR 3,000 by the Romanian DPA for violating GDPR requirements on personal data security


On 18 July 2023, the Romanian DPA announced a fine of EUR 3,000 applied to a controller in the banking sector for violations of Article 32 para. (1) (b), (2), and (4) of the GDPR.

The investigation commenced in response to the notification of a personal data breach submitted by the respective controller following the unauthorized transmission of a .pdf file containing personal data through the WhatsApp application.

As a consequence, this led to a confidentiality breach of the personal data belonging to a substantial number of the said controller’s customers.

The Romanian DPA concluded that the sanctioned bank failed to implement appropriate technical and organizational measures to maintain a level of security corresponding to the risks arising from the personal data processing, including from the accidental or illegal destruction, loss, alteration, unauthorized disclosure of, or access to personal data stored or otherwise processed.

The press release is available here (only in Romanian).