Petroleum company faces a substantial fine of EUR 110,000 from the Romanian DPA following multiple data breaches


On 13 November 2023, the Romanian DPA announced a fine of EUR 110,000 imposed on a petroleum company for multiple violations of Art. 32 of the GDPR.

The investigation was initiated after the controller submitted several data breach notifications between July 2021 and February 2022, and it was completed in October 2023.

The investigation revealed that the data of some clients had been repeatedly accessed internally from the company’s systems and used in an unauthorized manner. In addition, the personal data of some clients were unlawfully disclosed for the purpose of obtaining loans on their behalf from non-banking financial institutions.

The incident resulted in the unauthorized disclosure of the personal data of the affected individuals, namely, identification data (such as name, surname, series and number of the identification card, personal numerical code, address, place of birth, and photograph) and payroll data (such as name and surname of the employee, date, signature, earned income, and period of employment).

The Romanian DPA found that the controller did not take measures to ensure that any natural person acting under its authority and having access to personal data only processes them at its request, nor did it implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing.

The press release is available here (only in Romanian).