Bank's claim against DPA sanction rejected by Bucharest Tribunal


On 16 April 2024, the Bucharest Tribunal ordered the rejection as unfounded of the administrative complaint lodged by a controller in the banking sector against the fine applied by the Romanian data protection authority (Romanian DPA).

The background of this case: On 3 November 2023, the Romanian DPA announced a fine of EUR 3,000 imposed on a bank for failing to implement adequate technical and organizational measures to ensure a high level of data protection and for failing to notify the DPA of the data breach. The investigation was opened following a complaint alleging a possible personal data breach where the controller had sent the complainant’s personal data to another person by email. In the context of the aforementioned sanctions, specific corrective measures such as regular training of persons who process data under the authority of the controller, the establishment of appropriate rules for the creation and management of files or the adoption of internal measures necessary for the early detection, management and reporting of personal data breaches, in order to ensure the processing of personal data complies with the GDPR, have also been applied. (See our complete summary here).

The text of the Bucharest Tribunal decision, with the motivation of the court, is not yet available.

This decision is not final and may still be challenged before the Bucharest Court of Appeals.