On 15 June 2022, the Romanian DPA announced it sanctioned a retailer with a EUR 3,000 fine for disclosing personal data without authorization.
The investigation was launched following the receipt of a data subject’s complaint reporting that a commercial message had been received from the operator by e-mail. This message was also addressed to other data subjects, whose e-mail addresses were visible to all the other 810 recipients.
During the investigation, the Romanian DPA found that the said company had not implemented sufficient technical and organizational measures to ensure personal data confidentiality thus processed.
In addition to the fine, the Romanian DPA imposed a corrective measure, ordering the controller to implement appropriate technical and organizational measures when remotely transmitting personal data.
The press release is available here (only in Romanian).