Natural Person – €500 Fine (Romania, 2021)

The Romanian DPA (ANSPDCP) started an investigation after receiving a complaint against an individual who held the office of Secretary-General in a subsidiary branch of a political party in the City of Bucharest. The complainant filed the complaint based on the fact that the defendant's social networking site published a list of 10 supporters for the mayoral election in Bucharest. This list disclosed the personal data of these supporters, including their name, number of their identity document, nationality, address, political choice and signature. Is disclosing the personal data of supporters of a political party an infringement of Article 32 GDPR in conjunction with Article 5(1)(f) GDPR? The Romanian DPA (ANSPDCP) found that the controller violated Article 32 GDPR as they had not implemented appropriate technical and organisational measures to ensure a level of security necessary for the processing of personal data. By disclosing the personal data of 10 individuals, the DPA found that the controller failed to comply with the associated principle of "integrity and confidentiality" (Article 5(1)(f) GDPR). The DPA imposed a corrective measure against the controller, ordering it to erase the personal data revealed on their website. Similarly, the DPA imposed a fine of approximately 500 EUR against the controller.