The National Revenue Authority was fined 5.1 million lev (€2.61m) by the Commission for Personal Data Protection (CPDP) after personal details belonging to more than six million people was "illegally accessed and distributed on the internet".
The personal data compromised included names, addresses and contact information, as well as data from individuals' annual tax returns, information relating to their personal income tax position, insurance declarations and health insurance premiums, as well as data on tax payments they had completed and on VAT refunds claimed and received. Further data on issued acts for administrative violations was also the subject of unauthorised access, the CPDP said.
In addition to imposing a fine, the CPDP said it had ordered the NRA to undertake a number of actions designed to improve its data security practices. The NRA has six months to "enhance the protection of personal data processing in applications, providing e-services to citizens", and perform a risk analysis of its systems and data processing operations. It will also need to carry out "impact assessments at the event of identifying 'high risk' for each system, and the appropriate measures, which have to be taken" to address those risks.
The NRA has also been ordered to perform data protection impact assessments when launching new information systems and applications.
The second case in which the CPDP has issued a fine follows a data breach at DSK Bank over which the institution was fined one million lev (€511,000).
The regulator said a month long investigation it had conducted found that third parties had gained unauthorised access to personal data belonging to more than 33,000 customers of the bank. The data was recorded in more than 23,000 credit record files.
Biometric data, income and health insurance information, as well as details concerning assessments of individuals' capacity to work was among the personal data compromised.
The CPDP said its investigation found that DSK Bank "has not managed to implement the appropriate technical and organizational measures and has not provided the necessary ability to guarantee a permanent confidentiality, security, integrity, availability and sustainability of the systems and servers for processing personal data of individuals".
Data protection law expert Michele Voznick of Pinsent Masons, the law firm behind Out-Law, said: "These latest fines demonstrate that security of personal data is a matter being taken seriously by data protection authorities across Europe. While the DPAs continue to grasp with their new powers, data controllers in different countries will have to watch to learn what level of harmonisation will develop across the EU under the GDPR in terms of enforcement action and administrative fines for security breaches."