Romanian DPA imposes sanction on energy company for inadequate technical and organizational measures


On 2 October 2023, the Romanian DPA announced a fine of EUR 1,000 against an energy company for violation of art. 32 para. (1) letter b) and art. 32 para. (2) of GDPR.

The sanction was imposed following a complaint related to GDPR violations. Upon investigation, it was found that the controller sent the customers disconnection notices through the e-mail address, as they did not allow access to the gas distribution operator’s staff to read or replace the measuring equipment from place of consumption.

During the transmission of the message by e-mail, some addresses of the recipients were mistakenly transcribed, leading to the disconnection notices being sent to customers who were not the rightful owners of the consumption site.

The incident resulted in the exposure of individuals’ personal information, including their first and last names, mailing addresses, consumption site addresses, customer codes, and consumption site codes. This breach compromised the data security of both individual and corporate entities due to unauthorized disclosure or access.

As a result, the Romanian Data Protection Authority determined that the controller failed to establish sufficient technical and organizational safeguards to match the processing risk. This included the inability to ensure the confidentiality, integrity, continuous availability, and resilience of the processing systems and services.

The press release is available here (only in Romanian).