On January 19, 2026, the Romanian DPA concluded an investigation into an automotive manufacturing company. The DPA found that the company had violated its obligation concerning the principles relating to processing of personal data and the security of processing. As a result, the DPA issued two administrative fines amounting to RON equivalent of EUR 5,000 and EUR 10,000 respectively.
The investigation commenced following a data breach notification submitted by the controller, which revealed that a significant number of data subjects were affected after unauthorized access and exfiltration of personal data occurred.
According to the information provided, an Excel file containing a centralized list of the company’s employees was repeatedly shared internally. The file included personal data, including medical information derived from the medical certificates of current and former employees.
The investigation further revealed that the controller had not implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks posed by the processing activities.
In addition to the fine, the DPA ordered the controller to take corrective measures by implementing, within a technical and organizational procedure, all processes involving the processing of personal data, including the establishment of a monitoring and control process to promptly identify any personal data security breach incidents.
The press release is available here (Romanian language only).
