On 3 May 2022, the Romanian DPA announced it sanctioned a retail company with a EUR 4,000 fine for not providing the DPA with the information requested during a direct marketing investigation.
The investigation was launched following the receipt of several affected data subjects’ complaints alleging they had received commercial SMS communications promoting the said retailer’s website without having expressed their consent for receiving such messages on their telephone numbers.
Although the controller confirmed receiving the Romanian DPA’s request for information, it failed to respond thereto, and thus, the DPA issued the fine sanctioning the breach of Article 58 (1) of the GDPR.
In addition, the Romanian DPA imposed the following corrective measures, ordering the controller:
- to avoid processing of personal data without the data subjects’ consent in cases where consent is required, and
- to implement adequate measures in order to ensure that personal data such as telephone numbers are no longer processed for direct marketing purposes without the data subjects’ prior consent.
The press release is available here (only in Romanian).