On 8 February 2023, the Romanian DPA announced it sanctioned a provider of a recruitment services platform in the medical sector with a EUR 5,000 fine for failing to implement adequate technical and organizational measures to ensure a level of security appropriate to the processing risk.
The investigation was launched following the receipt of a data breach notification submitted by the said controller, and it was finalized in January 2023.
During the investigation, the Romanian DPA found that the data breach occurred by unauthorized access to the IT infrastructure managed by the controller, which made it possible to download and delete certain personal data.
As a result, there was an unauthorized disclosure or access to certain personal data in candidates’ CVs, such as name, surname, e-mail, telephone number, professional/educational history, hobbies and family status.
The controller was also required to review and update the technical and organizational measures implemented following a risk assessment, as well as the working procedures relating to the protection of personal data and employee training.
The press release is available here (only in Romanian).