On 24 April 2023, the Romanian DPA announced a fine of EUR 1,000 imposed on a controller found in breach of Articles 12 (3) and 21 of the GDPR.
The investigation was initiated following a complaint from a data subject who reported receiving unsolicited messages, despite having previously exercised the right to object to such messages.
Further to the investigation, the Romanian DPA concluded that the said controller:
- had repeatedly sent unsolicited commercial messages by SMS to the concerned data subject, even though the latter had previously requested by e-mail to unsubscribe from its newsletter, thus breaching Article 21 of the GDPR
and
- failed to provide evidence that (i) it had dealt with the data subject’s request in accordance with the provisions of Article 12 (2) in conjunction with Article 21 of the GDPR, nor that (ii) it provided the data subject with a response on the measures taken following the exercise of the right to object, within the legal timeframe, thus breaching Article 12 (3) of the GDPR.
In addition to the fine, the Romanian DPA also imposed the controller the corrective measure of implementing the necessary measures to amend the internal procedures and inform the employees thereof, so that the rights of the data subjects provided for under the GDPR are respected in all cases.
This is not the first case where the Romanian DPA has qualified such violations as failure to comply with the GDPR, not Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, which includes special provisions on unsolicited commercial communications (e.g., see this case or this case).
The press release is available here (only in Romanian).