On February 19, 2026, the Suceava Tribunal dismissed a complaint from a company in the tourism sector. The company had been fined by the Romanian Data Protection Authority (DPA) and was contesting the fine.
As background, the DPA fined the controller the RON equivalent of EUR 5,000 for publishing on its Facebook page a table containing tourists’ personal data without implementing adequate security measures, which led to the unlawful disclosure of the data subjects’ personal data. It also imposed a further fine of the RON equivalent of EUR 1,000 for failing to notify the data breach. Additionally, the DPA issued a warning due to the controller’s failure to provide evidence of having fully responded to data subjects exercising their right of access.
Moreover, the company was required to take corrective actions, including implementing appropriate technical and organizational measures to ensure compliance, training personnel handling personal data, establishing procedures to quickly detect, manage, and report data breaches, and providing data subjects with responses to their access requests.
The court’s detailed reasoning is not yet available. It is also worth noting that the decision may still be challenged before the Suceava Court of Appeal.
