On June 15, 2026, the Romanian DPA concluded an investigation into a company operating in the private security sector. The DPA found that the company had failed to ensure that individuals acting under its authority processed personal data only on its instructions and to implement appropriate measures to ensure an adequate level of security. As a result, the DPA issued an administrative fine amounting to RON equivalent of EUR 2,000.
The investigation was initiated following the controller’s submission of a personal data breach notification concerning an incident involving the processor, which revealed that an employee allowed an unauthorised third party to access the video surveillance monitoring room located inside a retail store. This subsequently enabled the third party to access, record, and disseminate video footage on a social media platform, resulting in a breach of confidentiality affecting a significant number of data subjects.
In addition to the fine, the DPA ordered the processor to implement additional control and monitoring measures to ensure compliance with its internal working procedures and the instructions established by the controller.
The press release is available here (only in Romanian).
