Romanian DPA issues fine and corrective measures for GDPR violations in healthcare sector

10.12.2024

In October 2024, the Romanian DPA concluded an investigation into a healthcare sector controller for data protection violations and found multiple non-compliances.

The controller was fined for breaching Article 13 paragraph (1) letter i) of Law No. 506/2004, which addresses the protection of private life in electronic communications and articles 12-14 of the GDPR.

The investigation was initiated following a complaint regarding the controller’s website’s improper cookie management. It was found that the website permitted the storage of cookies on users’ devices without providing an option to access the site without consenting to information collection via cookies, which is against legal requirements. They also failed to provide clear and complete information to users about personal data collection and processing, breaching GDPR transparency requirements.

The controller received a fine of RON 10,000 and a warning.

Corrective measures ordered include:

  • Obtaining explicit user consent before installing cookies, in line with Article 4 paragraph (5) of Law No. 506/2004, and ensuring that the information provided is clear and accessible.
  • Ensuring that the website offers complete, transparent, and easily accessible information to data subjects, compliant with Articles 12-14 of the GDPR, using clear and simple Romanian language.

The press release is available here (only in Romanian).

Statistics