On 29 August 2022, the Romanian DPA announced it sanctioned a bank with a fine of EUR 1,000 for failing to implement appropriate technical and organizational measures to ensure the security of personal data processing operations.
The investigation was launched following the receipt of a data breach notification submitted by the controller reporting that a document was mistakenly sent to another recipient, via an instant messaging platform.
During the investigation, the Romanian DPA found that the controller failed to implement adequate technical and organizational measures and breached its obligation to ensure that any person who acts under its authority (e.g., employees) process personal data only in accordance with its instructions.
The aforementioned breaches led to the unauthorized disclosure of personal data belonging to 4 data subjects, such as their personal numeric codes, data related to credit contracts concluded with the bank and their signatures.
In addition to the fine, the Romanian DPA imposed the following corrective measures, ordering the controller to:
- review and update the technical and organizational measures implemented following the assessment of the risk related to the rights and freedoms of individuals, including the working procedures relating to the security of personal data, by implementing and making sure that the persons acting under its authority are aware of the fact that it is prohibited to use their own personal devices (g., mobile phone) for communicating with the customers via chat services not authorized by the bank;
- ensure that the persons acting under its authority are properly trained in relation to the risks and consequences of unauthorized disclosure of personal data.
It is important to acknowledge the recent focus of the Romanian DPA on imposing more specific corrective measures aimed at mitigating the risks to the rights and freedoms of individuals affected by a data breach.
The press release is available here (only in Romanian).