The Romanian DPA sanctions one of Bucharest’s districts for failing to respond to the requests and for failing to implement the measures ordered by an action plan


On 31 January 2024, the Romanian DPA announced a fine of EUR 2,000 imposed on one of Bucharest’s districts for failing to comply with the measures ordered by an action plan.

The Romanian DPA found that Art. 58 para. (1) letters a) and e) of the GDPR and Art. 14 para. (5) letter e) of Law No. 190/2018 on measures implementing the GDPR were violated.

The investigation was opened following complaints alleging a possible breach of the GDPR’s provisions.

The controller has established, through resolutions of the Local Council, the way in which the residents can submit the necessary documents to benefit from the financial incentives of the program to support energy needs and efficiency, namely in physical form or to an e-mail address set up strictly for the purpose of implementing the program.

However, the controller has provided an online data collection platform to the beneficiaries, which was purchased before the draft resolution was discussed and approved by the Local Council.

During the investigation, the controller did not respond to the Romanian DPA’s repeated requests for information. In this regard, the controller was sanctioned with a warning, given its status as a public entity in relation to the provisions of Law No. 190/2018. At the same time, a corrective measure was ordered, consisting in providing/communicating all the requested information.

As the controller did not implement the previously ordered measures through an action plan within the deadline set by the Romanian DPA, the investigation continued.

Finally, the Romanian DPA imposed the EUR 2,000 fine since the controller failed to provide evidence of compliance with the action plan.

The press release is available here (only in Romanian).