The Romanian DPA fines shopping center EUR 3,000 for failure to implement adequate security measures


On 11 December 2023, the Romanian DPA announced a fine of EUR 3,000 imposed on a controller in the retail sector for breaches of Article 32 para. (1) letter b) and para. (2) of the GDPR.

The investigation was initiated as a result of a complaint about a possible breach of the GDPR.

The investigation revealed that a data breach had occurred on the controller’s website, exposing the personal data (such as names, surnames, and email addresses) of a significant number of data subjects who were participants in a raffle organized by the controller.

Consequently, it was found that the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, including the ability to ensure the confidentiality of the processing systems and services. This incident resulted in the unauthorized disclosure or access to personal data displayed on the controller’s website.

The press release is available here (only in Romanian).