On April 28, 2026, the Romanian DPA concluded an investigation into a gambling company. The DPA found that the company had collected the data subject’s phone number when another individual created an online gambling account on one of its platforms, without verifying the accuracy of the information provided and consequently issued an administrative fine amounting to RON equivalent of EUR 20,000.
The investigation was initiated following a complaint from a data subject who had received a commercial text message from the gambling company without having given consent for the use of his data for marketing purposes.
The investigation further revealed that the controller had unlawfully and excessively collected and stored documents containing the petitioner’s personal data, including a copy of his ID and a “selfie” photograph, in connection with the handling of the petitioner’s request to identify the source of the collection of his phone number and to provide evidence of consent for marketing purposes, leading to an additional administrative fine amounting to RON equivalent of EUR 15,000.
In addition to the fines, the DPA ordered the controller to implement the necessary technical and organizational measures to ensure the accuracy of personal data processing, as well as to provide the staff training in order to ensure compliance with the applicable data protection principles.
The press release is available here (only in Romanian).
