On 29 December 2020, the Romanian DPA announced a fine of EUR 1,000 was imposed against a controller in the IT sector for failure to ensure data security.
The investigation was carried out following the receipt of complaints alleging that the said controller had sent an information e-mail to 295 job candidates in a way that enabled each recipient to see the e-mail address of other recipients.
During the investigation, the DPA concluded that the controller did not implement sufficient security measures to ensure the confidentiality of the personal data, thus breaching the obligations set under Article 32 of the GDPR.
The Romanian DPA also applied a corrective measure for the controller to implement appropriate technical and organizational measures in case of remote transmission of personal data, including regular training of the persons who process personal data under its authority (e.g., employees, collaborators).
The press release is available here (only in Romanian).