The Romanian DPA fines an online retailer EUR 3,000 following data breach


On 24 October 2023, the Romanian DPA announced a fine of EUR 3,000 applied to an online retailer for failure to implement adequate technical and organizational measures to ensure a high level of data protection which constitutes a violation of Art. 32 para. (1) b) and d), and Art. 32 para. (2) of the GDPR.

The investigation was initiated following a complaint alleging a possible personal data breach on the website of the controller.

Investigation showed that the data breach occurred by accessing a link displaying a list of numerous downloadable files containing, mostly, invoices and guarantee certificates for products purchased by the controller’s customers.

This led to the unauthorized disclosure of personal data of the controller’s customers (natural and legal persons), such as name, surname, address, e-mail address, invoice number and date, products purchased, and their value.

The press release is available here (only in Romanian).