On May 29, 2026, the Romanian DPA concluded an investigation into a banking and financial services company. The DPA found that the company had violated its obligation to implement appropriate safeguards ensuring that any natural person acting under the authority of the controller or the processor and having access to personal data processes such data only on the controller’s instructions, taking into account the need to ensure a level of security appropriate to the risk of the processing. As a result, the DPA issued an administrative fine amounting to RON equivalent of EUR 10,000.
The investigation commenced following a complaint from a data subject, which revealed that, in the context of facilitating the renewal of expiring insurance policies, the controller issued incorrect notifications to a large number of customers via mobile messaging, online banking, and email channels, due to a processing error in the file used to generate such notifications. This incident led to the unauthorized disclosure and access to personal data belonging to a significant number of data subjects, including first and last names, customer’s address, address and value of the insured property, status as bank clients holding mortgage loan products, policy expiration date, and insurance costs.
The investigation further revealed that the controller had failed to report the data breach within 72 hours of becoming aware of it, as the notification was submitted late, even though the controller had concrete information regarding the breach, leading to an additional administrative fine amounting to RON equivalent of EUR 2,000.
The press release is available here (only in Romanian).
