The Romanian DPA fines a data controller following a confidentiality breach

23.09.2022

On 21 September 2022, the Romanian DPA announced it sanctioned a publishing house with a fine in the equivalent of EUR 5,000 for failing to implement appropriate technical and organizational measures in order to ensure the security of personal data processing operations.

The investigation of the DPA was finalized in August 2022 and was launched following the receipt of notifications submitted by the controller reporting that 2 data breaches occurred with respect to the data processed by controller.

The first data breach relates to the publishing on an online forum of a file containing the data base with clients of the controller. This breach led to the unauthorized disclosure of personal data belonging to belonging to 10.739 data subjects, such as their name, phone number, email, password (encrypted) and IP address. This type of breach is categorized as being a confidentiality breach and is the most common one due to the fact that it can easily be caused by human error.

As regards the second data security incident that has been reported by the controller, the Romanian DPA found during the investigation that the controller was targeted with a ransomware attack that resulted in both the unavailability and the loss of confidentiality of the personal data related to approximately 100 data subjects. As opposed to a typical ransomware attacks, where the data base is only encrypted, thus generating only a loss of access to such, it seems that in the case of the publishing house the hacker may have also gained access to and/or altered the personal data, rendering this breach as both an availability and a confidentiality data breach.

The Romanian DPA concluded that the controller did not implement adequate technical and organizational measures to ensure an appropriate level of security of personal data. Hence, in addition to the fine imposed, the Romanian DPA ordered the controller to review and update its technical and organizational measures and to implement additional IT security solutions.

The press release is available here (only in Romanian).

Tags:Corrective measuresData breachDPADPA investigationGDPR fineSecurity of processingUpdate

-                                        Number of fines
-                                        Highest fine
+,000 €
-                                        Lowest fine
+€
-                                        Total amount of fines
+,000 €
-                                        Number of corrective measures
-                                        Number of fines triggered by data breach notifications
-                                        Number of fines triggered by complaints
-                                        Legal provisions mentioned in press releases
+                                        Article 24 (1), Article 32 (1) b), d), (2) of GDPR, Article 18 (2) of Law 102/2005

Dismissal of the data protection officer

Minimum data protection checklist on future law on whistleblowing protection

Introducing NIS 2 – main things to know and follow

Iurie Cojocaru

Partner, Head of the Data Protection practice

Roxana Ionescu

(1981-2023)

Statistics

Subscribe to NNDKP’s newsletters

Statistics

More In the spotlight

Statistics

Subscribe to NNDKP’s newsletters