On October 9, 2025, the Romanian DPA announced the conclusion of an investigation concerning a controller in the energy sector, finding the company in breach of GDPR Article 32(1)(b) and 32(2). As a result, the controller was fined the RON equivalent of EUR 25,000.
The investigation commenced following a data breach notification submitted by the controller, which revealed that a significant number of data subjects were affected after unauthorized access and exfiltration of personal data occurred, involving user accounts, e-mail addresses and passwords. The authority concluded that the controller had not implemented appropriate technical and organizational measures to ensure a security level appropriate to the risk, particularly to prevent accidental or unlawful disclosure of, or unauthorized access to personal data transmitted, stored or processed, which resulted in unauthorized access to the above data and created a high risk of potential financial harm.
In addition to the fine, the DPA ordered the controller to implement mandatory multi-factor authentication for all users, along with other appropriate technical and organizational measures to ensure a security level appropriate to the risk associated with processing via the controller’s customer accounts.
The press release is available here (only in Romanian).
