The Romanian DPA fines a controller in the medical sector EUR 2,000 for not respecting the right of access


On 3 August 2023, the Romanian DPA announced a fine of EUR 2,000 applied to a controller in the medical sector for violations of Articles 12 para. (4) and 15 para. (3) of the GDPR.

The sanction was applied following an investigation triggered by a complaint claiming that the controller violated the right of access by refusing to disclose certain video recordings from the reception of one of their hospitals.

Further to the investigation, the Romanian DPA found that the said controller:

  • did not provide the complainant with the video recordings requested under the right of access and
  • did not include in the provided response information about the data subject’s possibility of filing a complaint before the Romanian DPA.

The Romanian DPA also applied a corrective measure, the controller being ordered to respond to the data subject’s request by communicating the copy of their personal data provided by GDPR, respectively the requested video recordings covering the period when the data subject was on the premises of the concerned hospital.

The press release is available here (only in Romanian).