On 18 January 2023, the Romanian DPA announced it sanctioned a major retailer with a 1,000 EUR fine for failure to erase a data subject’s personal data after exercising the right of erasure under the GDPR.
The investigation was launched following the respective data subject’s complaint and finalized in December 2022.
During the investigation, the Romanian DPA found that the data subject received, after exercising their right to erasure, an SMS containing commercial communications from the controller.
It was concluded that the controller did not take all the necessary measures to comply with the data subject’s erasure request, thus continuing to process personal data by sending unsolicited commercial messages.
In addition to the fine, the Romanian DPA imposed a corrective measure, ordering the controller to implement technical and organizational measures to ensure that it effectively responds to data subjects’ rights under the GDPR, including with regard to the right to erasure.
Based on the publicly available information, this sanction seems to follow the Romanian DPA’s previous approach to failures in handling data subjects’ erasure requests.
The press release is available here (only in Romanian).
