A recent court case involving a Romanian data controller and the Romanian Data Protection Authority (Romanian DPA) has concluded with replacement of the fine with a warning.
Background of the investigation
The investigation, completed in January 2025, was initiated following a complaint about the controller’s unlawful disclosure of employee data to a third party. The Romanian DPA found that the company had disclosed the complainant’s personal and health data in violation of legal requirements, and that the third party subsequently relied on this information in judicial proceedings.
As a result, the controller was sanctioned with the RON equivalent of EUR 2,000.
Court decision
After contesting the sanctions, on February 10, 2026, the Prahova Tribunal ruled that the fine imposed for the data breach was annulled and replaced with a warning.
Implications for data protection compliance
We are still waiting for the text of the court’s decision to understand the reasoning behind its judgment. In the meantime, it may be stressed out that the unlawful disclosure of personal data, including health data, constitutes a compliance risk. Companies handling employee records must ensure that their data processing and disclosure practices fully comply with GDPR requirements, including principles of lawfulness, purpose limitation, data minimization, and security, and implement appropriate measures to prevent unauthorized access or sharing of sensitive information.
The court decision can be challenged before the Court of Appeals.
