Authors: Iurie Cojocaru, Mihai Rotaru
As the EU General Data Protection Regulation (GDPR) marked its seventh anniversary on May 25, 2025, the Romanian DPA has released a short-form activity update covering the first four months of the year. The figures offer a snapshot of enforcement trends, complaint patterns, and the DPA’s contribution to ongoing pan-European initiatives.
Between January and April 2025, the Romanian DPA received 3,048 complaints, notifications, and data breach reports, a volume broadly consistent with previous years. Of these, 2,799 were formal complaints lodged by data subjects.
The authority initiated 153 investigations during the period, resulting in:
- 52 fines, totaling 1,134,267 RON (approx. €230,500),
- 68 warnings, and
- 96 corrective measures.
In addition, the DPA issued two orders to terminate unlawful processing and one formal reprimand.
The report identifies recurring themes in complaints and breach notifications, underlining the challenges that persist across both public and private sectors. Common issues included:
- Disclosure of personal data in public or online spaces;
- Unlawful or excessive use of video surveillance (CCTV);
- Delays or refusals in responding to data subject rights requests;
- Receipt of unsolicited marketing via electronic means;
- General failure to uphold the data processing principles.
The DPA also received 65 data breach notifications from data controllers, along with 184 complaints about potential non-compliance. These prompted an additional 86 investigations.
While the Romanian DPA has yet to publish a full 2024 annual report, this Q1 update signals a continued commitment to GDPR enforcement as the Regulation matures. The press release is available here (Romanian only).
