Largest amount of GDPR breaches in CEE relate to entities in healthcare, telecom, financial, media & technology services.

16 Jul 2019 By Panayiotis Z. Toulouras LLC



A recent research undertaken by Deloitte Legal in countries part of Deloitte Central, found that the largest amount of controls and fines for possible breaches of the GDPR were reported in ‘highly regulated and client-facing industries’ where large volumes of personal data were being processed. The research was covering the period from when the GDPR came into force until May 31, 2019, which is just over a year.


The sectors which were evidenced as having the largest amount of breaches were private healthcare (due to handling of sensitive data), telecom and financial services, public sector, media and technology (mostly apps). Most supervisory authorities instructed companies to observe and comply to regulations on data minimization, purpose limitation and data retention principles,  data subjects’ rights, video surveillance, direct marketing, profiling and cookies.

With just over one year gone, the 8 countries surveyed found that the 34 fines set for GDPR violations, amounted to nearly EUR 750,000. The largest fine of them all was imposed in Poland for a company processing personal data gathered from public sources and using this data for profit which of-course violates the principles of lawfulness, fairness and purpose limitation. In total, the Romanian Data Protection Authority undertook 981 controls, imposed 57 corrective measures, issued 23 warnings with a large number of investigations is still pending.

Georgiana Singurel, a member of the Deloitte Legal network stated that “Romania has just reported its first fine for GDPR violations, of EUR 130,000, applied to a bank. We also see various and significant controls across Europe and fines imposed almost each week in many jurisdictions, out of which the leader is the EUR 50 million fine imposed to Google in France,”


Until May 31st 2019, data breaches reported to each national data protection authority have been:

  • Poland: 2,000
  • Czech Republic 626
  • Romania 398,
  • Hungary 380,
  • Lithuania 93,
  • Bulgaria 33.

Georgiana Singurel finished off the great and insightful survey by stating that “GDPR has been a major disruptor for any entity processing personal data and Romanian companies across all industries have worked on identifying the main risk areas and on assuring the compliance with the regulation. We see amongst our clients a continued focus on setting up complex internal processes and on adjusting legal documents in order to comply with GDPR, as well as on training their employees in this area,”


Panayiotis Z. Toulouras LLC provides counsel to clients on all the data protection matters and laws in place with the newly established GDPR. For any enquiries or assistance, feel free to contact us at [email protected] or call us directly at +357 24 623 800. For more information visit