Romanian Data Protection Authority - Data Breach Notification

An investigation has been initiated regarding Automobile Bavaria due to the unauthorized exposure of customer and potential customer data (including name, surname, email address, phone number, vehicle-related data, vehicle purchase method, and marketing preferences such as phone, email, newsletter subscription, etc.) in July and August 2022 on the data controller's website. The investigation found that the data controller did not take adequate security measures and/or conduct testing related to data processing activities.

The Romanian Data Protection Authority has imposed an €18,000 fine on the data controller, Automobile Bavaria, for violating GDPR Article 32/1 and 2 by failing to ensure the security of data and causing a data breach resulting in the unauthorized exposure of data for 290 data subjects. An additional warning was issued for violating GDPR Article 25/1.

Furthermore, a warning has been issued under GDPR Article 58, emphasizing the need to periodically test and evaluate all systems related to personal data, implement corrective measures, and make subsequent changes to these systems.