e-Privacy and GDPR non-compliance: Romanian DPA fines a fitness company EUR 2,000 and issues two reprimands


On 23 November 2023, the Romanian DPA announced that it had sanctioned a fitness company with a EUR 2,000 fine for cookie non-compliance and imposed two reprimands for breaching the principles of processing, lawfulness of processing and certain provisions on data subjects’ requests.

The investigation was initiated following complaints claiming that the controller did not respond to the data subject’s request to exercise her right to be forgotten, and it was completed in November 2023.

The investigation revealed that the fitness company allowed the storage of information and access to information stored on users’ equipment by using cookies that are not technically necessary on its website, without obtaining prior express consent.

It was also found that the company processed the data subject’s email address for direct marketing purposes without a legal basis.

At the same time, it was found that the controller did not respond to the data subject’s request to exercise her right to erasure.

The Romanian DPA also applied corrective measures, ordering the controller to:

  • take the necessary measures to ensure lawful processing of data subjects’ data when using its website, in order to comply with Articles 5, 6 and 7 of the GDPR;
  • take appropriate measures to respect the rights of data subjects, including the right to erasure of data in the case of the complainant;
  • to actively implement the provisions of Article 4 (5) of Law 506/2004, by reference to the provisions of Article 4(11) and Article 7 of the GDPR, by obtaining the express consent of users before installing cookies on their devices.

The press release is available here (only in Romanian).