Casa Rusu SRL – €1,977 Fine (Romania, 2022)

Based on a notification of a personal data breach pursuant to Article 33 GDPR by Casa Rusu SRL, a controller, the Romanian DPA started an investigation. During its investigation, the DPA found that the breach was the result of insufficient security measures in the online payments section of the controller's website. The website's data bank stored the bank details of the controller's clients. By using an unauthorized entry in the website's security form, a breach occurred which gave an unauthorized party access to the personal data of the controller's clients and data subjects, namely: the first and last name of bank card holders, their card numbers, the date and year of expiry of the bank cards, and the bank card's CVC code. The DPA's investigation showed that the controller did not implement adequate technical and organizational measures, both at the time of establishing the means of processing the personal data, and at the time of the processing itself. It also came to light that the controller did not carry out any periodic testing, evaluation, and assessment of the effectiveness of its technical and organizational measures to guarantee the security of processing as required to effectively implement the principles of the GDPR. As a consequence of the aforementioned investigation, the DPA came to the conclusion that the controller breached a number of GDPR articles. They found a violation of Article 25 GDPR, the obligation to implement data protection by design and by default, Article 32(1)(b) GDPR, the responsibility "to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services", Article 32(1)(d), the obligation to implement "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing," and Article 32(b) GDPR, the responsibility to take into account "the risks that are presented by processing, in particular