On April 3, 2026, the Romanian DPA concluded an investigation into an engineering and technical consulting company. The DPA found that the company had violated its obligation concerning the principles relating to processing of personal data and the security of processing. As a result, the DPA issued an administrative fine amounting to RON equivalent of EUR 2,500.
The investigation commenced following a data breach notification submitted by the controller, which revealed that the IT infrastructure had been compromised, affecting both the confidentiality and availability of personal data and allowing unauthorized access to the personal data of a significant number of data subjects.
The authority concluded that the controller had not implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks posed by the processing activities including, among other things, safeguarding confidentiality and regularly testing and evaluating the effectiveness of those measures.
In addition to the fine, the DPA ordered the controller to take corrective measures by implementing, at both technical and procedural levels, a system for monitoring data flows.
The press release is available here (Romanian language only).
