On 25 November 2022, the Romanian DPA announced it sanctioned a provider of financial services with a EUR 3,000 fine for failing to implement adequate technical and organizational measures in order to ensure compliance with the data protection principles, both at the time of the determination of the means for processing and at the time of the processing itself.
The investigation was finalized in November 2022 and was launched following the receipt of a data breach notification submitted by the controller.
During the investigation, the controller claimed that it had been informed by an individual that he was able to access its IT platform in an unauthorized manner by altering the URL address and creating an administrator account. Thus, he was able to access the data of the controller’s clients, legal entities, with accounts on the platform used for tracking information related to leasing contracts.
The access to the platform was determined by the lack of an adequate level of security appropriate to the risk entailed by the data processing operations. Thus, the confidentiality of data subjects’ (individuals registered as contact persons for the affected legal entities) personal data processed through the platform was breached.
The Romanian DPA concluded that the controller did not adopt the necessary technical and organizational measures, both at the time of the determination of the means for processing and at the time of the processing itself.
The controller did not have in place a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
At the same time, the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, including the ability to ensure the ongoing confidentiality, integrity, availability and continuous resilience of the processing systems and services.
The press release is available here (only in Romanian).