The Romanian DPA fines a controller in the banking sector EUR 1,500 for failure to implement the previously imposed corrective measure on handling an access request


On 20 November 2023, the Romanian DPA announced a fine of EUR 1,500 applied to a controller in a banking sector for violations of Article 58 para. (1) and Article 83 para. (5) letter e) and para (6) of the GDPR.

The investigation commenced in response to a complaint about how the controller addressed an access request after a corrective measure ordered by the Romanian DPA.

During the investigation, the Romanian DPA concluded that the controller did not fully comply with the corrective measure imposed based on Article 58 para. (2) letter c) of the GDPR. This was due to their failure to communicate, appropriately and within the established term, all information related to the categories of personal data processed in connection with the data subject, the purposes of the processing, and the recipients or categories of recipients.

The Romanian DPA also held that the controller failed to provide evidence of communicating the response to complete the information as per the established corrective measure. At the same time, the controller was also ordered the corrective measure of sending the full response to the data subject’s request, by mail, to the address indicated in this respect.

The press release is available here (only in Romanian).