A private individual sanctioned by the Romanian DPA for unlawful publishing of personal data on a social media platform


On 27 March 2023, the Romanian DPA announced imposing a EUR 450 fine on a private individual (i.e., acting as a controller) for processing data without legal ground (Article 6(1) of the GDPR) and breaching the lawfulness, fairness, and transparency principle (Article 5(1)(a) of the GDPR).

The investigation was initiated following a complaint received by the Romanian DPA claiming that the controller had posted the personal data of numerous individuals on a social media platform. This investigation ended in March 2023.

Further to the investigation, the Romanian DPA found that the said controller had unlawfully disclosed the personal data of several data subjects through a social media platform. Thus, data such as first name, surname, and place of residence had been posted on a social media platform without the data subjects’ consent or fulfilling another condition under Article 6(1) of the GDPR. In this context, the Romanian DPA held that the controller had to comply with the lawfulness principle as per Article 5(1)(a) of the GDPR.

Compared to the Romanian DPA’s practice in similar cases to date (i.e., involving private individuals qualified as controllers), the amount of the fine imposed in this instance (based on the available public information) seems in line with the previous approach (e.g., another EUR 500 fine in this case).

The press release is available here (only in Romanian).