ROMANIA: Romanian Data Protection Authority issues fine for inappropriate TOMs

Just days after proudly announcing its first fine under the GDPR, the Romanian Data Protection Authority has done it again: World Trade Center Bucharest S.A. must pay 15,000 euro for breaching the provisions of Art. 32 para. (4) GDPR corroborated with Art. 32 paras. (1) and (2) GDPR.

What happened: according to the official statement posted on the website of the Romanian Authority, a paper-printed list, used in order to check the clients who were having breakfast at the hotel owned by the controller, was photographed by persons outside the company and subsequently published online, thus leading to a data breach which affected 46 persons. Following the notification of the breach, the Data Protection Authority initiated an investigation and concluded that the controller i. did not take steps to ensure that its employees who have access to personal data only process such data on its instructions, and ii. did not implement technical and organisational measures fit to provide a level of security appropriate to the risk of unauthorised disclosure of or access to personal data. The full statement can be found here (in Romanian).

The sanction is of particular interest as it re-confirms the practice of the Romanian Data Protection Authority of starting an investigation (almost) each time it is notified in respect of a data breach. This conduct was so far made possible by the relatively low number of breach notifications submitted in Romania. It will be interesting to see how the Authority’s decision will influence the approach of Romanian companies on this matter.

For further information and advice on next steps, please get in touch with your usual DLA Piper contact.

Andrei Stoica, DLA Piper