On 17 January 2024, the Oradea Court of Appeals confirmed the decision of the Bihor Tribunal of March 2023, which changed the sanctions imposed by the Romanian DPA upon a software company, by replacing two fines with a warning each.
The ruling of Oradea Court of Appeals is final.
In this file, the Romanian DPA initially applied the following fines which were challenged in court:
- a fine of EUR 1,000, for failing to provide the information requested by the authority;
- a fine of EUR 3,000, for failing to implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk.
In its press release issued with regard to the initially applied sanctions, the Romanian DPA referred to the failure by the software company to ensure an adequate level of security by making certain documents (such invoices and transport documents) publicly available on its website. According to the authority, this led to a loss of confidentiality of the customers’ personal data consisting of name, surname, sender and recipient address, telephone number, username and password, e-mail addresses.
We have previously written on our blog about these two sanctions, so if you want to read more, please check here.