New sanctions for cookies non-compliance and data breach against one of the top energy companies in Romania


The Romanian DPA sanctioned one of the top energy companies in Romania and imposed the following fines:

  • EUR 25,000 for violation of Art. 32 para. (1) letters b) and d), and para. (2) of GDPR;
  • EUR 8,000 for infringement of Art. 4 para. (5) of Law no. 506/2004 (the national law implementing the ePrivacy Directive).

Following a complaint about a potential data breach that occurred on the controller’s website, the Romanian DPA found a data breach in the fact that a file from the controller’s website containing personal data (i.e., name, surname, address, telephone numbers, e-mail addresses, contract number, and contract date) for at least 750 data subjects has been publicly available by accessing a link generated by the research engines for approximately two and a half years.

It was also found that by accessing the controller’s website, cookies that are not technically necessary were installed on the user’s device before consent was given. Additionally, it was found that if the user expressed disagreement on the installation of these cookies by clicking the “Refuse” button such action did not influence them, as the cookies remained installed in their original form on the user’s device for a certain period.

This appears to be the first fine for violating the cookies’ rules established by the e-privacy law, which was applied by the Romanian DPA after the GDPR became enforceable.

The Romanian DPA also applied corrective measures, and ordered the controller to implement a procedural plan that includes a process of regular testing, evaluation, and assessment of all systems and subsequent changes to them made by the controller or service providers (processors), on the website managed by the controller.

The press release is available here (only in Romanian).