ROMANIA: Romanian Data Protection Authority issues fine for inappropriate TOMs

Andrei Stoica of DLA Piper writes:

Just days after proudly announcing its first fine under the GDPR, the Romanian Data Protection Authority has done it again: World Trade Center Bucharest S.A. must pay 15,000 euro for breaching the provisions of Art. 32 para. (4) GDPR corroborated with Art. 32 paras. (1) and (2) GDPR.

What happened: according to the official statement posted on the website of the Romanian Authority, a paper-printed list, used in order to check the clients who were having breakfast at the hotel owned by the controller, was photographed by persons outside the company and subsequently published online, thus leading to a data breach which affected 46 persons. Following the notification of the breach, the Data Protection Authority initiated an investigation and concluded that the controller i. did not take steps to ensure that its employees who have access to personal data only process such data on its instructions, and ii. did not implement technical and organisational measures fit to provide a level of security appropriate to the risk of unauthorised disclosure of or access to personal data. The full statement can be found here (in Romanian).

Read more on DLA Piper’s Privacy Matters.

About the author: Dissent

2 comments to “ROMANIA: Romanian Data Protection Authority issues fine for inappropriate TOMs”

You can leave a reply or Trackback this post.
  1. RBV - July 11, 2019

    The article’s title states “…inappropriate TOMs”. What does TOMs stand for? Tried searching for it but received too many obviously incorrect responses.

    • Dissent - July 11, 2019

      In the post, it refers specifically to “technical and organisational measures,” so my guess was that that was what TOMs refers to.

Comments are closed.