On August 4, 2022, the Romanian DPA announced it fined a retailer of personal care and beauty products with a fine EUR 2,000 for failure to ensure data subject’s right to object, breaching Article 21 of the GDPR.
The investigation was launched following a data subject’s complaint, stating that she had received unsolicited commercial communications via SMS from the company, although she had repeatedly unsubscribed from such messages. Subsequently, the company had informed the data subject that her data would no longer be processed for direct marketing purposes. However, the company continued to send unsolicited commercial communications to the data subject.
The Romanian DPA concluded that, although the data subject has repeatedly exercised her right to object, the company continued to send her unsolicited commercial communications, thus breaching the provisions of Article 21 of the GDPR.
It is important to note that the company was sanctioned for failure to comply with the GDPR, not the Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, which includes special provisions on unsolicited commercial communications.
The press release is available here (only in Romanian).