Romanian entities issued monetary penalties for infosecurity and data protection failures

Regulators in Romania have issued monetary penalties to six Romanian entities for insufficient technical and organizational measures to ensure information security. Two other entities were issued fines for other GDPR violations.

The fines for insufficient technical and organizational measures ranged from 1,000 to 10,000 euros.

Two of the entities were in the medical center. A translation of relevant parts of the penalty notice reads:

The operator of Dr. Furtună Dan Medical Center violated the provisions of art. Art. 32 para. (1) lit. b) and art. 32 para. (2) of Regulation (EU) 2016/679 and was fined in the amount of 4,918.50 RON (the equivalent of 1000 EURO).

During the investigation, the National Supervisory Authority found that the operator of the Dr. Furtună Dan Medical Center sent a message to the phone number of a natural person, via the WhatsApp application, containing the results of two medical tests that belonged to two other people targeted.

During the investigation carried out at the operator Med Life SA , following a notification, it was found that a patient received, by e-mail, in addition to his own investigation bulletin, a series of attached files containing the results of investigations belonging to five other patients. The attached documents contained the name, surname, date of birth, date of examination, reason for the examination, result of the investigation (examination), diagnosis, conclusions resulting from the medical examination .

…  It was also found that Med Life SA did not take measures to ensure that any natural person who acts under the operator’s authority and who has access to personal data only processes them at the request of the operator.

In addition to the monetary penalties, both entities were also given corrective actions to take.

Details of each of the eight penalties and enforcement action are linked from the GDPR Enforcement Tracker.