The Romanian DPA sanctions marketing agency EUR 2,000 for unsolicited commercial communications


On 7 September 2023, the Romanian DPA announced two fines totaling EUR 2,000 against a marketing agency, following an investigation launched after a data subject’s complaint regarding unsolicited marketing communications.

The investigation concluded that the controller:

  • collected the data subject’s personal data (e.g., name, e-mail address, workplace) from public sources to propose participation in market research;
  • failed to present evidence that the concerned data subject had been provided with clear and complete information (e.g., by omitting the data collection source), which led to the breach of Article 14 of the GDPR;
  • did not take the necessary measures to comply with the data subject’s request exercising the right to object. Thus, the controller continued the data processing by sending a new unsolicited message, violating Article 17 (1) (c) of the GDPR.

The Romanian DPA also applied two corrective measures, ordering the controller to:

  • ensure compliance with the GDPR, by ensuring clear and complete information to data subjects, both on its website and in the other documents communicated directly to data subjects;
  • review the lawfulness of the processing of personal data previously collected from sources other than directly from data subjects and remove from its system, if applicable, the personal data that have not been processed in compliance with all the GDPR requirements.

Finally, the Romanian DPA noted that the imposed fines have been paid.

The press release is available here (only in Romanian).