On 19 April 2023, the Romanian DPA announced a fine of EUR 3,000 imposed on a political party for breach of the principles of lawfulness, fairness and transparency and purpose limitation (Article 5(1)(a) and (b) GDPR), in conjunction with a breach of the lawfulness of processing (Article 6 GDPR).
The investigation was launched following complaints redirected to the Romanian DPA by the Romanian Ombudsman. The complaints alleged that the personal data of individuals with various degrees of disability had been published on the political party’s website.
During the investigation, the Romanian DPA found that the political party had extracted and published on its website personal data (name, surname, personal numerical code, address, identity card series and number, medical certificate number, degree of disability) of certain individuals from official documents of public authorities and institutions published on their websites. The Romanian DPA pointed out that the political party did not have a legal basis for the processing and did not comply with the GDPR principles mentioned above.
The Romanian DPA required the political party to ensure compliance with the GDPR principles when processing personal data, by reviewing the documents published on the political party’s website in order to anonymize the personal data.
The press release is available here (only in Romanian).