On February 6, 2025, the Romanian DPA announced the conclusion of an investigation concerning a controller in the insurance field, finding the company in breach of the GDPR Articles 32(4) in conjunction with 32(1) and 32(2). As a result, the controller has been fined with the lei equivalent of EUR 3000.
The investigation commenced following a data breach notification by the controller, which revealed that an employee of a processor had inappropriately collected money by filing false claims for non-existent events using the identities of several insured individuals. The employee in question, who had access to the controller’s claim files, accessed without authorization personal data including names, home addresses, personal identification images, national identification numbers, ID card details, medical information, and financial data of the clients.
The investigation concluded that the controller failed to implement appropriate technical and organizational measures to ensure a security level commensurate with the processing risk. This included maintaining the integrity of data to prevent unauthorized access and ensuring that any individual acting under the authority of either the controller or the processor accessed personal data solely upon the controller’s request.
In addition to the fine, the DPA has mandated the insurance company to develop a plan for inspections and audits of the processor to prevent similar security incidents in the future.
The press release is available here (only in Romanian).
