A telecommunications company sanctioned by the Romanian DPA for failure to ensure the right of access


On 21 June 2023, the Romanian DPA announced a fine of EUR 1,000 against a telecommunications company, following an investigation launched after a complaint alleging that the controller refused to disclose certain records from the call center.

The investigation concluded that the controller did not prove that it had sent any response to the data subject’s access request, which led to the breach of Article 15 para. (3) of the GDPR.

The press release did not indicate whether the Romanian DPA representatives took into consideration the main findings of the Court of Justice of the European Union set in its judgment delivered last month in Case C-487/21 regarding the interpretation of Article 15 para. (3) of the GDPR (see our previous update on this here).

At the same time, the controller was ordered, as a corrective measure, to adopt technical and organizational measures to ensure effective solutions to the requests received from the data subjects on their rights under the GDPR, including the right of access under Article 15 of the GDPR.

The press release is available here (only in Romanian).