On 13 November 2023, ANSPDCP published a press release announcing the completion of an investigation and the imposition of a fine of 546,073.00 lei (approximately EUR 110,000) as a result of a violation of Art. 32 para. (4) in conjunction with Art. 32 para. (1) letter b) and art. 32 par. (2) of Regulation (EU) 2016/679.
The investigation was initiated following the company’s submission of several personal data breach notifications during the period 20.07.2021 – 3.02.2022.
As a result of the investigation, it was found that an employee of the company had unauthorizedly accessed the software owned by the company and illegally disclosed the personal data of some customers to obtain loans from non-bank financial companies on their behalf.
The incident resulted in the unauthorized disclosure of the following personal data of data subjects: identity card data (such as name, surname, ID card series and number, personal numerical code, address, place of birth, photo) and salary statement data (such as: employee’s name, date, signature, income, seniority).
The press release is available here.
The largest fine imposed by the Authority was EUR 130,000 and was imposed on a bank in 2019.