ROMANIA: Romanian Data Protection Authority issues fine for inappropriate TOMs

Andrei Stoica of DLA Piper writes:

Just days after proudly announcing its first fine under the GDPR, the Romanian Data Protection Authority has done it again: World Trade Center Bucharest S.A. must pay 15,000 euro for breaching the provisions of Art. 32 para. (4) GDPR corroborated with Art. 32 paras. (1) and (2) GDPR.

What happened: according to the official statement posted on the website of the Romanian Authority, a paper-printed list, used in order to check the clients who were having breakfast at the hotel owned by the controller, was photographed by persons outside the company and subsequently published online, thus leading to a data breach which affected 46 persons. Following the notification of the breach, the Data Protection Authority initiated an investigation and concluded that the controller i. did not take steps to ensure that its employees who have access to personal data only process such data on its instructions, and ii. did not implement technical and organisational measures fit to provide a level of security appropriate to the risk of unauthorised disclosure of or access to personal data. The full statement can be found here (in Romanian).

Read more on DLA Piper’s Privacy Matters.

About the author: Dissent