Recently, the Romanian Data Protection Authority (ANSPDCP) announced two new sanctions for GDPR violations.
A company active in market research – fined for multiple GDPR breaches
Following complaints from two European supervisory authorities, the ANSPDCP investigated a Romanian-based company active in the field of market research. The investigation revealed several shortcomings – failure to respond to access requests, lack of proper initial information, and processing personal data without a valid legal basis.
The company received three fines totaling approximately €12,000:
- €5,000 for violating the right of access (Art. 15 and 12(1) GDPR),
- €2,000 for failure to inform data subjects at first contact (Art. 14 and 12(1)),
- €5,000 for unlawful processing (Art. 6(1)).
Corrective measures included mandatory staff training on handling data subject requests and ensuring legal grounds for processing.
The press release is available here, only in Romanian.
A natural person – fined for publishing personal data online
In a separate case, the authority fined a natural person €1,000 for publicly disclosing another individual’s name and phone number on a social media platform, without consent or any valid legal basis (Art. 6(1) GDPR). The person had previously been sanctioned for similar conduct.
The press release is available here, only in Romanian.
