On June 18, 2026, the Romanian DPA concluded an investigation into a company operating in the electronics and home appliances retail sector. The DPA found that the company had violated its obligation to implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data. As a result, the DPA issued an administrative fine amounting to RON equivalent of EUR 7,000.
The investigation was initiated following a complaint submitted by a data subject, which revealed that, due to a technical vulnerability in the controller’s mobile application during the account validation process, personal data relating to a third party had been unlawfully accessed. This incident resulted in the unlawful disclosure of personal data, including the third party’s name, surname, invoices, and delivery addresses.
The investigation further revealed that the controller had failed to notify the DPA of the data breach and to inform the affected data subject about the incident. These infringements resulted in two additional administrative fines, amounting to the RON equivalent of EUR 2,000 and EUR 1,000, respectively.
In addition to the fines, the DPA imposed a series of corrective measures, requiring the controller to review its user account validation and authentication mechanisms, implement procedures for periodic vulnerability testing of the application, establish internal procedures for managing security incidents and assessing notification obligations, provide regular training to the relevant personnel, and submit a written response to the complainant addressing the concerns raised.
The press release is available here (only in Romanian)
