On 11 July 2022, the Romanian DPA announced it sanctioned a courier services company with a EUR 3,000 fine for breaching its obligations regarding the level of security that must be ensured with respect to personal data.
The investigation was launched following the receipt of several complaints reporting that the database of the company was for sale on a website that has since been seized by the Federal Bureau of Investigation (FBI).
During the investigation, the Romanian DPA found that the confidentiality of the data belonging to a number of 26,566 data subjects was breached, as such data were available for sale on web.
It is important to note that the company was sanctioned for the aforementioned breach in its capacity as data processor. From the publicly available sources, this is the third time in less than 30 days when the Romanian DPA sanctions a data processor for failing to comply with the data protection requirements.
Until recent, the Romanian DPA’s enforcement policy seemed to be revolving around punishing controllers for most GDPR-related breaches. However, moving forward, we might see more data processors sanctioned in case of non-compliance with the data protection requirements, given that the Romanian DPA appears to have changed its approach.
By Iurie Cojocaru, Partner and Co-head of the Data Protection Practice, Vlad Giurgiu, Associate, NNDKP
