The Romanian DPA fines online lending platform EUR 24,000 for GDPR violations: No security measures, data breach notification, nor response to a data subject’s request


On 7 December 2023, the Romanian DPA announced that it had imposed three sanctions totaling EUR 24,000 on an online lending platform for failure to comply with several GDPR requirements, as follows:

  • EUR 20,000 for failure to implement appropriate security measures to prevent unauthorized disclosure of data;
  • EUR 2,000 for failure to notify the DPA of the data security incident within 72 hours of becoming aware of it; and
  • EUR 2,000 for failure to provide evidence of the response to the data subject’s request for information on the source of the collection of his or her data within the timeframe provided for in Article 12 of the GDPR.

The investigation, which was completed in November 2023, was initiated following a complaint claiming that the controller had sent documents containing the personal data of another client to the complainant’s e-mail address. Although the complainant reported this error to the company, there has been no remediation.

The Romanian DPA also applied corrective measures, ordering the controller to:

  • ensure compliance with the GDPR for the purpose of concluding and executing loan agreements, in order to respect the professional secrecy and confidentiality of the personal data of its clients, in particular in the case of electronic transmission of documents and messages containing personal data, by implementing appropriate and effective security measures, both from a technical point of view, including reliable validation of e-mail addresses, encryption of transmitted documents, storage and monitoring of logs in its database, and from an organizational point of view, including by training the persons who process data under its authority, in order to identify and limit immediately the risks that may affect the data subjects and to handle correctly the requests and notices received;
  • contact the complainant to delete or destroy, as appropriate, the personal data to which they had access after receiving messages and notifications concerning the other client of the controller;
  • implement an appropriate internal policy for risk identification, risk analysis and notification to the DPA in the event of a security breach, including in terms of proper training of persons processing data under its authority;
  • inform the affected client about the breach of security of their data;
  • respond to the complainant’s request in accordance with Article 15(1) of the GDPR.

After sanctioning a petroleum company with a fine of EUR 110,000 for non-compliance with security requirements (more details available here), it seems that the Romanian DPA is still interested in this type of violation and continues to impose significant fines.

The press release is available here (only in Romanian).