On 22 February 2022, the Romanian DPA announced it sanctioned a law firm with a EUR 1,000 fine for failing to comply with the lawfulness, fairness, and transparency, purpose limitation, data minimization, integrity and confidentiality, and accountability principles under the GDPR.
The investigation was launched following the receipt of a complaint from a client of the said law firm alleging the unlawful disclosure of a document containing their personal data by posting it on a WhatsApp group used by other lawyers.
During the investigation, the Romanian DPA found that the law firm disclosed the complainant’s personal data (name, surname, home address, information relating to a court case) to 247 other lawyers without a legal basis, in a manner incompatible with the original purpose for which they were collected, and without implementing technical and organizational measures for ensuring the confidentiality of such data. Thus, the Romanian DPA concluded that the law firm failed to comply with several principles relating to personal data processing.
In addition to the fine, the Romanian DPA imposed the following corrective measures, ordering the controller:
- to ensure notification of all members of the respective WhatsApp group to delete the document posted thereon that contains the complainant’s personal data;
- to ensure compliance with the GDPR requirements for data collection and further processing activities while assisting and representing the controller’s clients in order to avoid disclosure of their personal data unless permitted by law, including through regular training of persons processing data under the controller’s authority.
This is not the first time that the Romanian DPA has imposed sanctions for unlawful processing of personal data while using WhatsApp. Until now, from what is publicly known, the sanctions for such WhatsApp-related breaches range between EUR 2,000 and EUR 150,000.
The press release is available here (only in Romanian).