A retrospective of the GDPR sanctions and control activity in Romania
The 3 years since the GDPR became applicable have meant an intense activity for both the economic operators that process personal data and which have adopted GDPR compliance programs, and for the Romanian Authority that clarified the interpretation and implementation of the GDPR by means of its monitoring and control activity. This material summarizes the sanctions and control activity conducted throughout this period. The sanctioned violations mainly regarded:
- the lack of appropriate technical and organisational measures;
- data processing without a legal basis (including processing of special categories of data);
- failure to comply with the data subjects’ rights (the right to object to marketing communications, to access data, the right to erasure);
- failure by the data controller / data processor to ensure that its employees act only according to the instructions;
- non-compliance with the GDPR principles;
- irregularities related to the obligation to inform data subjects (usually, lack of information);
- failure to provide information requested by the Authority;
- non-compliance with corrective measures imposed by the Authority;
- failure to notify the Authority in case of a data breach incident (GDPR and local ePrivacy Law 506/2004);
- lack of security measures imposed by Law 506/2004;
- non-compliance with the provisions on unsolicited communications under Law 506/2004.
