The Romanian DPA has shown a particular interest in cases where companies failed to ensure that their employees and collaborators process data only upon their request. At least 7 GDPR-related fines have been applied by DPA in similar cases until now. The fines are normally ranging between EUR 1,500 and EUR 5,000, but there were also cases when the amounts of fines significantly exceeded this threshold.
The most recent of the fines of this kind has been announced on 11 November 2021. In its statement, the Romanian DPA declared that it sanctioned a major telecommunications company with a fine of EUR 1,500 for violations of rules on security of data processing provided by the General Data Protection Regulation (‘GDPR’), and RON 7,000 (approx. EUR 1,400) for violations of the rules on security of data processing provided by Law No. 506/2004 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (transposing the ePrivacy Directive in Romania).
The DPA launched its investigation following the receipt from the company of several notifications of personal data breaches.
Following the notification of personal data breach under the GDPR, the DPA found that the company did not implement adequate technical and organizational measures to ensure that any natural person acting under the authority of the company or the person authorized by the company having access to personal data only processes them at the request of the controller and to ensure a level of security appropriate to the risk of processing, including the ability to ensure the confidentiality of data. This led to unauthorized disclosure and / or unauthorized access to the personal data of 6 individuals, between 16 November 2020 – 18 May 2021 (transmission of service contracts to erroneous e-mail addresses, unauthorized access of the controller’s employees to the data personal data of customers without any requests from them).
Following the notification of personal data breach under the ePrivacy legislation, the DPA has reached the same conclusion regarding the failure to adopt adequate technical and organizational measures, which led to the unauthorized access to the personal data of 64 individuals by the company`s employees between 04 November 2020 – 22 June 2021.
The press release is available here (only in Romanian).