On 13 January 2025, the Romanian DPA announced a fine of the RON equivalent of EUR 2,000 imposed against a controller in the healthcare industry for violation of the GDPR. The violations pertained to the controller’s unauthorized disclosure of a patient’s login credentials.
The fine was applied following an investigation triggered by a complaint stating that at one of the controller’s biological sampling clinics, the credentials to access the claimant’s e-mail account were publicly displayed on the computer monitor.
Further to the investigation, the Romanian DPA found that the controller failed to adopt adequate technical and organizational measures to ensure an appropriate security level in relation to the processing risk, including the ability to ensure the confidentiality of the personal data of certain data subjects, which allowed unauthorized access to personal data, at least at the time of the complaint.
The Romanian DPA also applied two corrective measures, the controller being ordered to train their personnel on the risk and consequences arising from data processing activities as well as to adopt an updated password policy which would include rules on respecting the confidentiality of user credentials.
The press release is available here (only in Romanian).
