A new EUR 1,000 fine issued by the Romanian DPA for direct marketing violations


On 20 October 2023, the Romanian DPA announced a fine of EUR 1,000 imposed on a major retailer due to violations related to direct marketing.

This sanction stemmed from a complaint alleging that the controller processed the data subject’s phone number for direct marketing purposes without consent, by sending unsolicited commercial messages via SMS.

Following the investigation, the Romanian DPA found that the retailer failed to demonstrate the data subject’s consent or any other legal basis for processing personal data for the above-mentioned direct marketing purposes, thus violating Art. 6 of the GDPR.

The Romanian DPA also applied corrective measures, requiring the controller to:

  • obtain data subjects’ prior express consent for the processing of their personal data for marketing purposes;
  • ensure that all data processing operations comply with the GDPR provisions. Specifically, personal data should only be processed based on one of the explicit legal grounds outlined in Art. 6 of the GDPR.

The press release is available here (only in Romanian).