On 7 February 2024, the Romanian DPA announced a fine of EUR 2,000 imposed on an exchange office for failure to provide all the information and documents requested by the Romanian DPA, in violation of Art. 83 para. (5) letter e) of the GDPR.
The Romanian DPA also issued a reprimand for processing personal data without consent or another legal basis, thus violating the provisions of Art. 5 para. (1) letter a) and Art. 6 of the GDPR.
The investigation was opened following complaints alleging that the controller had processed the personal data of several individuals in order to send information about the opening of virtual currency accounts on their behalf.
During the investigation, the Romanian DPA found that the controller had processed the personal data (first and last name) of individuals within an administrative-territorial unit in order to send information about the opening of current accounts in their name without consent or any other legal basis. The investigation also revealed that the controller did not provide the DPA with all the information and documents requested.
The press release is available here (only in Romanian).
