IKEA ROMÂNIA SA – €1,000 Fine (Romania, 2021)

The Romanian DPA (ANSPDCP) has imposed a fine of EUR 1,000 on IKEA ROMÂNIA SA. The controller had sent a notification to the DPA about a personal data breach under Art. 33 GDPR. Accordingly, the controller had organized a drawing contest in which children of IKEA Family members could participate. Participants uploaded their own drawings to an online platform along with entry forms containing their personal data and that of their parents, including their consent. In order to vote for the best drawing, the children's drawings were posted on the online platform and by accident along with it the personal data included in the participation forms. At the time of the investigation, it was determined that the security incident had resulted in the unauthorized disclosure of personal data of IKEA Family members (surname, first name and age of minors, as well as surname, first name, city, country, email, IKEA Family membership number and the signature of the parents) on the online platform accessible only to IKEA Family members in Romania. The incident affected 114 people, half of whom were minors. The DPA found that the controller had thus breached its obligation under Art. 32 (1) b), (2) GDPR to implement technical and organizational measures that ensure a level of security appropriate to the risk for the data subjects.