On 13 March 2023, the Romanian DPA announced it sanctioned a controller operating a website for online shopping with a EUR 2,000 fine and corresponding corrective measures for failure to ensure the transparency of the processing and the right to object to the processing for direct marketing.
The investigation was initiated following the receipt of a data subject’s complaint alleging the website’s owner had sent marketing communications via e-mail, although being confirmed that such communications would not be transmitted, thus violating her right to object.
The Romanian DPA acknowledged that the controller did not provide data subjects with relevant information regarding the processing of personal data through its website and failed to comply with Article 12 and Article 13 of GDPR (e.g., information on the recipients, the retention periods, and the right to complain with the supervisory authority).
In addition, corrective measures were imposed to ensure that (i) the processing of the personal data for direct marketing purposes is based only on the express prior consent given by the data subject, (ii) the data subjects are informed through the T&Cs of the website in a complete, clear, precise, and accurate manner on processing their personal data, and (iii) the removal of the excessive requirements that the rights under GDPR could be exercised by a written and signed request when these are sent by e-mail, as well as requesting a copy of the identity document therefor.
The press release is available here (only in Romanian).