Beko Romania SA – €9,953 Fine (Romania, 2025)

An employee of a home appliances online shop, the controller, notified a data breach to the DPA, as per Article 33 GDPR. The DPA started an investigation, that revealed that an unauthorized person took advantage of a programming vulnerability and, consequently, accessed the website of the operator containing its customers’, the data subjects’, database. Thus, the person concerned had access to the personal data of a large number of data subjects of the operator, namely: name, surname, telephone number, e-mail address, domicile, product details. The investigation revealed that the controller did not carry out the regular testing, evaluation and assessment of the efficiency of technical and organisational measures to ensure the security of the processing. The DPA held that the controller did not implement the appropriate technical and organizational measures, either at the time of establishment of the means of processing, or during the processing itself, as required by Article 32 GDPR. This is further aggravated by the lack of regular testing, evaluation and assessment that the investigation revealed. The DPA found a breach of Article 32(1)(b), (d) and Article 32(2) GDPR deemed it appropriate to fine the controller RON 49,766 (€10,000). The DPA further ordered the controller to implement a data volume analysis system of their IT infrastructure.