The Romanian DPA fines a bank EUR 3,000 and issues a warning following a data breach


On 3 November 2023, the Romanian DPA announced a fine of EUR 3,000 imposed on a bank for violation of Art. 32 GDPR and a warning for failure to notify under the provisions of Article 33 GDPR.

The investigation was opened following a complaint alleging a possible personal data breach where the controller had sent the complainant’s personal data by e-mail to another person.

During the investigation, the representatives of the Romanian DPA concluded that the sanctioned bank had not implemented adequate technical and organizational measures to ensure a high level of data protection and that the bank had failed to notify the DPA of the data breach affecting the complainant’s personal data.

Furthermore, the following corrective measures were ordered:

(I) Ensure that the processing of personal data complies with the GDPR by implementing technical and organizational security measures appropriate to the specific processing and the risks identified, throughout the data processing cycle, in particular concerning:

  • verifying the accuracy of the personal data processed;
  • establishing appropriate rules for the creation and management of files that may be transmitted using electronic (remote) means of communication;
  • training the persons who process data under their authority and regularly verifying compliance with the instructions given to them;
  • automating certain processes to reduce the risks of unlawful or unauthorized processing of personal data.

(II) Ensure compliance of personal data processing operations with the GDPR by adopting internal measures necessary for the early detection, management, and reporting of personal data breaches (whether requiring notification to the supervisory authority and/or data subjects), as well as appropriate and regular training of persons who process data under the authority of the controller.

The press release is available here (only in Romanian).