On 28 November 2024, the Romanian DPA announced a fine of the RON equivalent of 4,000 EUR imposed against a controller in the oil industry for violation of the GDPR. The violations pertained to the controller’s failure to implement adequate technical and organizational measures.
The fine was applied following an investigation triggered by a data breach notification submitted by the controller. Thus, several individuals received unauthorized emails with malicious phishing content.
Further to the investigation, the Romanian DPA found that personal data belonging to data subjects in files owned by the controller had been unlawfully downloaded and accessed. Moreover, it was found that several persons employed by the controller knew the password for the controller’s e-mail address for customer correspondence, managed and used exclusively by a processor, which allowed unauthorized access to the e-mail address in question, thus violating data confidentiality.
The Romanian DPA also applied one corrective measure, the controller being ordered to establish an inspection/audit plan at processor level and implement measures to address the deficiencies found in order to avoid similar security incidents.
The press release is available here (only in Romanian).
