Software company fined EUR 70,000 by the Romanian DPA, acting as the lead supervisory authority, for data security violations


On 21 August 2023, the Romanian DPA announced a fine of EUR 70,000 applied to a software company for violations of the GDPR rules on privacy by design and by default and security of processing.

The investigation commenced in response to a personal data breach notification submitted by the respective controller following the publication of the personal data of approx. 600,000 users of its platform on a publicly accessible website. The personal data disclosed consists of the user’s name and surname, each user’s unique identifier, e-mail address, name of the user’s employer, country, and details of the level of knowledge obtained throughout the courses held on the sanctioned controller’s platform. The said data were publicly available for approx. 10 days.

As a consequence, this data breach was considered likely to result in physical, material, or moral harm to data subjects, such as loss of control over their personal data or loss of confidentiality thereof.

The Romanian DPA concluded that the sanctioned company failed to implement:

  • adequate technical and organizational measures to ensure that, by default, personal data cannot be accessed, without the intervention of the individual, by an unlimited number of persons, including the ability to ensure the confidentiality and resilience of the processing systems and services, as well as
  • a process for regular testing, evaluation, and assessment of the effectiveness of the technical and organizational measures to ensure the security of the processing.

The Romanian DPA also applied a corrective measure, the controller being ordered to implement a mechanism, applied at regular intervals, for the periodic testing, evaluation, and assessment of the effectiveness of the measures adopted, considering the risk posed by the processing, in order to ensure an adequate level of security and avoid similar security incidents in the future.

The Romanian DPA noted that the cooperation procedure set under Article 60 of the GDPR was followed.

The press release is available here (only in Romanian).