On 16 September 2024, the Romanian DPA announced fines totaling the RON equivalent of EUR 4,000 imposed against two controllers in the IT and Telecom sectors for violation of the GDPR. The violations pertained to the controllers’ failure to respond to data subject requests.
Further to the investigation activities, the Romanian DPA found that the controllers did not provide the data subjects with proof of having replied to request to exercise the right of access and erasure, respective erasure, within 30 days.
In both cases, the answers have been provided by the controllers to individuals, but only after the Romanian DPA has initiated its investigations.
The Romanian DPA also applied corrective measures, the controllers being ordered to adopt an internal procedure on how to deal with requests made by data subjects under the GDPR as well as to train their staff regularly.
The press release is available here (only in Romanian).