S.P.E.E.H. Hidroelectrica S.A. – €5,000 Fine (Romania, 2021)

Following a data breach, the controller S.P.E.E.H. Hidroelectrica S.A. (a supplier of hydroelectricity) erroneously sent the personal data of 325 data subjects to the wrong recipients. The data breach was reported to the Romanian DPA. The subsequent investigation clarified certain elements of the breach and revealed that the controller had been processeing the personal data of 3 data subjects who previously exercised their right to erasure and withdrawn their consent for the processing. The Romanian DPA completed an investigation and found a breach of several GDPR provisions, for which it sanctioned the controller as follows: - a fine of approx €5,000 (RON 24,739.50) for breaching the Article 32(1)(b) and Article 32(2) GDPR; - a warning for breaching the Article 5(1)(a) and Article 6(1) GDPR; - a corrective measure ordering the controller to update its technical and organisational measures to ensure a level of security appropriate to the risk of processing; - a corrective measure ordering the controller to implement a measure that will guarantee personal data is accurate and updated according to the purpose of processing.