The Romanian DPA sanctions a public authority for failure to implement the previously imposed measures


On 20 December 2022, the Romanian DPA announced it sanctioned a public authority with a RON 13,000 fine (approx. EUR 2,600) for failing to comply with the measures imposed on this controller under the remediation plan established as a result of a previous investigation carried out by the Romanian DPA in September 2022.

Following the September 2022 investigation, the said authority was found in breach of Art. 5 para. (1) (b) and Art. 6 of the GDPR. Consequently, the Romanian DPA issued a warning and established a remediation plan to be implemented by the sanctioned entity within 20 days. The plan included technical and organizational measures aimed at ensuring compliance of the controller’s data processing operations (e.g., video monitoring – a topic on which the Romanian DPA recently issued a press release) with the data protection requirements. Such measures included internal procedures relating to the protection of personal data, as well as regular training of persons acting under the controller’s authority regarding their obligations when processing personal data and the associated risks.

Since the controller did not report the implemented measures, the Romanian DPA conducted a new investigation in November 2022 to assess compliance with the remediation plan. Therefore, the Romanian DPA concluded that the controller failed to implement the said measures, thus breaching Articles 13 and 14 of Law No. 190/2018 on measures implementing the GDPR.

Reference is also made to the fact that the sanctioned controller has paid the fine.

Based on the available public information to date, this is the first time that the Romanian DPA has sanctioned a controller for failing to implement the measures imposed in a remediation plan.

The press release is available here (only in Romanian).