The Romanian DPA has levied cumulative fines amounting to EUR 7,000 against a major retail chain for several breaches of the GDPR.
The fines were imposed following multiple data breach notifications and subsequent investigations that exposed significant lapses in the retail chain’s data protection measures, resulting in unauthorized access and disclosure of personal data.
Details of the Breaches
The DPA’s investigations revealed three main areas of concern, each leading to separate fines:
- Unauthorized recording and disclosure:
- Security personnel improperly used mobile phones to record footage from surveillance cameras during a store incident and disclosed the footage to one of the data subjects, upon request.
- Email data leak:
- In a recruitment process mishap, an email containing personal data of a candidate was erroneously sent to an unrelated third party. This error led to unauthorized access to personal data such as the candidate’s name and the location of the job application.
- Improper monitoring access:
- In another instance, a customer reporting a theft was allowed by a security agent to access surveillance footage directly. The customer then used their mobile phone to photograph the surveillance screen, capturing images of the alleged perpetrator and subsequently sharing these images on social media. This action contravened data protection laws by permitting unauthorized access to surveillance material.
Imposed corrective measures
The Romanian DPA has mandated as corrective measure the designation of one or more persons at the level of the organization to monitor the processing activities of personal data by persons acting under the authority of the organization, in accordance with operational procedures, to prevent similar security incidents.
The complete press release detailing this decision is available on the Romanian DPA’s website – here (only in Romanian).
