On 12 January 2023, the Romanian DPA announced it sanctioned a logistics network with a 2,000 EUR fine for failure to ensure the security of processing.
The investigation was finalized in December 2022 and launched following two data breach notifications submitted by the controller.
During the investigation, the Romanian DPA found that the data breach resulted from the misappropriation of a binder containing the personnel files of 12 employees, which led to personal data being accessed by unauthorized persons.
It was concluded that the controller has failed to implement adequate technical and organizational measures to ensure a level of security appropriate to the risks presented by processing, in particular accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. Because of that, contact/identification data, academic and professional training data, employment details, tax deductions and dependents information, and occupational medicine evaluation data were unlawfully accessed.
In addition to the fine, the Romanian DPA imposed a corrective measure, ordering the controller to review and amend the technical and organizational measures implemented based on the assessment of the risk to the rights and freedoms of individuals, including (i) ensuring data protection working procedures, and (ii) training the persons authorized to process data on the risks and consequences of disclosing such information.
The press release is available here (only in Romanian).