On 10 April 2023, the Bucharest Court of Appeal delivered its final ruling in a case concerning a challenge against GDPR sanctions issued by the Romanian DPA.
The background of this case
In a nutshell, in May 2022, the Romanian DPA concluded that a debt collection agency unlawfully processed a data subject’s personal data (including health data) by unlawfully and excessively disclosing them to certain doctors and medical units. Thus, a EUR 5,000 fine was imposed for alleged violations of the following GDPR provisions:
- Article 5 (1) (a) – lawfulness, fairness, and transparency principle;
- Article 5 (1) (c) – data minimization principle;
- Article 5 (2) – accountability principle;
- Article 6 – lawfulness of processing;
- Article 9 – processing of special categories of personal data.
In addition to the fine, a warning was also issued for failing to comply with the GDPR requirements on notifying a personal data breach to the supervisory authority.
The press release announcing the above is available here (only in Romanian).
As per the available public information, it appears that shortly after, the debt collection agency filed a challenge against all of these sanctions.
In November 2022, the first instance partially upheld the challenge as follows:
- replacing the EUR 5,000 fine with a warning and
- maintaining the initial warning as issued by the Romanian DPA.
Subsequently, the Romanian DPA filed an appeal against the first instance solution, which was dismissed as unfounded by the Bucharest Court of Appeal on 10 April 2023. This ruling is final (i.e., it can only be subject to extraordinary judicial remedies).
Following this solution, we are now awaiting the grounds for which the Court ruled as such. According to the Romanian procedural rules, the reasoning should be drafted within 30 days of the ruling. However, this term is not always rigorously respected in practice.