On 15 October 2020, the Romanian DPA announced a fine of EUR 3,000 was imposed on a data controller in the e-commerce sector for failure to ensure both the security of data and data protection by design and by default. The investigation was carried out following a notification claiming that some personal data of the customers were available on the controller’s website.
During the investigation, the DPA concluded that the controller did not implement sufficient security measures to prevent unauthorized access to and disclosure of personal data of the customers who placed orders on the website. At the same time, the DPA recommended the controller to establish a shorter retention period for personal data related to the customer account in order to comply with the storage limitation principle.
The full press release is available here (only in Romanian).