The Romanian DPA applies a EUR 2000 fine for unlawful cookie file storage on users’ devices


On 27 May 2024, the Romanian DPA announced a fine of the RON equivalent of 2000 EUR imposed against a controller in the real estate industry for violation of the GDPR as well as of Law 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector. Namely, the controller was sanctioned for not providing identity information on its website along with unlawful cookie storage.

The fine was applied following an investigation triggered by a complaint claiming that the controller did not provide information on their identity, nor details on the cookies in use.

Further to the investigation, the Romanian DPA found that the controller:

  • did not provide information on the identity and the contact details of the controller;
  • installed cookies which were not technically necessary for the functioning of the site on users’ devices.

The Romanian DPA also applied two corrective measures, the controller being ordered to:

  • supplement the privacy policy on the website with the information required under Article 13(1). (1) lit. a) of the GDPR;
  • reconfigure the way cookies are installed on the devices of website users.

The press release is available here (only in Romanian).