Iasi Court of Appeal annuls fine imposed on non-bank financial institution


On 5 February 2024, Iasi Court of Appeals admitted the claim of a non-bank financial institution and annulled the fine imposed by the Romanian DPA.

This decision comes after Iasi Tribunal initially rejected the claim of the non-bank financial institution in May 2023.

The ruling of Iasi Court of Appeals is final.

In this file, the investigation of the Romanian DPA began after a data breach notification as a result of a ransomware attack.

The ransomware attack led to the unauthorized access to and loss of integrity and availability of persona data (such as identification data, data from identity cards, addresses, telephone numbers, account excerpts).

As a result, the authority imposed a fine of EUR 2,250 for the omission by the non-bank financial institution to implement adequate technical and organizational measures to ensure an adequate level of data security, including the capacity to ensure the continuous confidentiality, integrity, availability and resistance of the processing systems and services.