On May 15, 2024, the Iasi Tribunal dismissed a complaint from a company from the leisure industry. The company had been fined by the Romanian Data Protection Authority (Romanian DPA) and was contesting this fine.
Background: The Romanian DPA had fined the company EUR 10,000 for not following certain rules set by the GDPR. The company had shared a customer’s personal information on social media without permission. This included an audio-video recording and comments that revealed the customer’s ethnic origin. The company also did not delete the data when the customer asked it to.
As part of the penalties, the company was also required to take specific corrective actions. These included creating written procedures, responding to the customer’s request to delete data related to social media posts, and putting in place other technical and organizational measures.
These measures involved training staff and partners on their responsibilities when handling data, setting up access restrictions, checking who has access, and putting systems in place to detect and manage any data breaches early on. Check here our complete summary of the sanction.
The court’s detailed reasoning for its decision is not yet available. It is also worth noting that this decision can still be challenged before the Iasi Court of Appeals. So, this may not be the end of the story. Stay tuned for updates!
