On 27 June 2025, the Romanian DPA announced a fine of the RON equivalent of 4000 EUR imposed against a controller operating in the construction industry for violation of the Romanian ePrivacy Law.
The sanction was applied following an investigation triggered by a complaint submitted by a natural person alleging possible breach of GDPR by an online shop.
Further to the investigation, the Romanian DPA found that cookies not strictly necessary for the website’s functionality were stored without prior user consent on the controller’s site.
The Romanian DPA also imposed a corrective measure under the GDPR, requiring the controller to ensure that non-essential cookies (such as those used for marketing or statistics) are stored on users’ devices only after valid consent has been obtained.
The press release is available here (only in Romanian).