On 23 March 2021, the Romanian DPA announced a fine of EUR 2,000 was imposed against a medical service provider for failure to implement appropriate technical and organizational measures to ensure that any natural person acting under its authority and having access to personal data only processes said data at the request of the controller.
During the investigation following a data breach notification submitted by the said medical service provider, the Romanian DPA found that personal data (including, among others, health data) were unlawfully disclosed and accessed by other individuals than the entitled recipients.
In addition, the Romanian DPA required the controller to review and update the technical and organizational measures to ensure a level of security appropriate to the risk and to implement measures to ensure that the personal data processed are accurate and up to date.
The press release is available here (only in Romanian).
