The Romanian DPA issues EUR 1,500 fine for failure to ensure personal data security in the banking sector
On 19 April 2021, the Romanian DPA announced a fine of EUR 1,500 was imposed against a company in the banking sector (qualified as a processor) for failure to ensure the security of personal data.
The investigation was launched following the receipt of an affected data subject’s complaint, as well as a data breach notification submitted by the controller of the said processor. During the investigation, the DPA found that the investigated processor failed to implement appropriate technical and organizational measures to ensure that any natural person acting under its authority and having access to personal data only processes said data at its request, which led to the unlawful destruction of original documents containing personal data concerning a total number of 1,058 affected data subjects.
Therefore, the DPA concluded that the processor failed to comply with both GDPR Article 29 (Processing under the authority of the controller or processor) and Article 32 (Security of processing).
The full press release is available here (only in Romanian).