Romanian DPA sanctions controller for breach of security of processing


On 15 January 2024, the Romanian DPA announced a fine of EUR 3,000 imposed on a controller in the motorcycle repair sector for failing to implement adequate technical and organizational measures to ensure a level of security corresponding with the risk posed by the processing. The Romanian DPA found that Art. 32(1)(a), (b) and (d) and Art. 32(2) of the GDPR was breached.

The investigation was initiated after the controller submitted a data breach notification.

The data breach involved the unauthorized disclosure of personal data (id, address, first name, last name, email address, company, sales, asset, newsletter subscription, date of registration and of last visit) of a significant number of customers. The personal data concerned was accessible on the controller’s website.

The Romanian DPA also applied two corrective measures, requiring the controller to:

  • implement a plan that includes a process of periodic testing, evaluation and assessment of all systems and their subsequent changes made by the controller or by its service providers, in particular on the website managed by the controller;
  • prepare and implement password complexity procedures, in particular for administrator accounts, including specific requirements regarding: the minimum length of the password, the number of characters, its expiration period, and the impossibility of reusing a previously registered password.

The press release is available here (only in Romanian).