S.P.E.E.H. Hidroelectrica S.A. – €5,000 Fine (Romania, 2021)

The Romanian DPA (ANSPDCP) has imposed a fine of EUR 5,000 on S.P.E.H. Hidroelectrica S.A.. The controller had notified the DPA of several breaches of personal data protection under Art. 33 of the GDPR. The data breach led to the data of 325 individuals being accessed unlawfully or passed on to the wrong recipients. The DPA considered this to be a breach by the controller of its obligation under Art. 32 (1) b), (2) GDPR to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk represented by the processing. In addition, the DPA found that the controller had processed personal data of three customers after they had exercised their right to erase their data and revoked their consent to the processing. The processing was therefore carried out without a valid legal basis. The DPA imposed a fine of EUR 5,000 for a breach of Art. 32 (1) b), (2) GDPR. For a violation of Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR, the DPA further issued a warning.