The Romanian Data Protection Authority ("DPA") has issued a statement regarding the administrative sanctions it has recently applied for various breaches which have occurred in the data protection field. The largest fines, reflected in this statement, have been applied by the authority in relation to:

Data controllers active in the non-bank financial domain

Sanctions have been applied in relation to these data controllers for failure to provide to the DPA with the information requested and for the illegal processing of personal data. The largest sanction applied was of RON 35,000 (approx. EUR 7,800).

Data controllers active in the banking domain

As far as the banking institutions are concerned, sanctions have been applied for the illegal processing of personal data. The data controllers in question failed to comply with the obligations related to the processing of negative data (including the obligation to inform the data subjects with regard to such processing). The sanction applied was of RON 20,000 (approx. EUR 4,500).

Data controllers active in the telecommunications domain

With regard to the telecommunications companies, the DPA has applied sanctions mainly for non-compliance with the obligation to take technical and organisational measures in order to ensure the protection of personal data against any illegal access or disclosure. The fine applied was of RON 10,000 (approx. EUR 2,200).

Data controllers active in the IT domain

Sanctions have been applied in relation to these data controllers for non-compliance with the legal provisions regarding unsolicited direct marketing. The sanction applied was of RON 7,000 (approx. EUR 1,600).

The DPA's sanctions provide guidance on areas of focus in which organisations should ensure they are compliant.

The DPA's statement can be accessed here (Romanian).

Submitted by Iurie Cojocaru of Nestor Nestor Diculescu Kingston Petersen – Bucharest, Romania