The Romanian DPA imposes EUR 3,000 fine for failure to ensure the right to object to processing for direct marketing purposes


On 4 April 2023, the Romanian DPA announced it fined a marketing agency with two fines amounting to EUR 3,000 for failure to ensure the data subject’s right to object, breaching Article 21 of the GDPR.

The investigation was launched following several complaints, stating that the data subjects had received unsolicited commercial communications via telephone and e-mail from the said agency, despite their previous option not to be contacted by these means.

Further to the investigation, the Romanian DPA concluded that the controller did not consider the complainants’ objection to receiving commercial communications by e-mail or SMS and processed their personal data for direct marketing purposes, thus breaching Article 21 (3) of the GDPR.

In addition to the fines, the Romanian DPA also imposed the following corrective measures on the controller:

  • to adopt adequate and effective internal personal data protection procedures on how to address requests submitted by data subjects under Articles 12-22 of the GDPR
  • to comply in all cases with the applicable provisions on the prompt consideration and processing of such requests so as to ensure that the controller effectively responds to requests exercising data subjects’ rights under the GDPR, and
  • to train its staff regularly regarding the above.

This is not the first case where the Romanian DPA has qualified such violations as failure to comply with the GDPR, not Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, which includes special provisions on unsolicited commercial communications (e.g., see this case).

The press release is available here (only in Romanian).