Authors: Ioan Dumitrașcu (partner), Diana Gavra (senior associate), Cristina Boroșeanu (associate)
Against the backdrop of accelerating digitization processes and the increasingly frequent implementation of artificial intelligence-based systems in corporate processes, personal data protection continues to be a main topic with a direct impact on every-day business. Over time, companies have become aware of the importance of this issue and have taken action to ensure compliance with applicable legal requirements.
Over the past year, we have seen the following main compliance efforts: the updating of policies, procedures, and information notes to cover new processes or lines of business, including as a result of the integration of AI-based systems; addressing the data protection implications of procedures carried out in relation to employees; internal documentation of the legitimate interests pursued by controllers and conducting data protection impact assessments, conducting trainings for company employees, testing of data subject rights response procedures, contractual regulation of relationships with implications from a data processing perspective, compliance audits to identify possible areas for improvement, and in some cases, addressing data security breaches.
In keeping with the tradition started four years ago, at the beginning of the new year, we have prepared a retrospective of 2025 from the perspective of sanctions imposed for violations of personal data protection legislation, based on information published by the Romanian supervisory authority – ANSPDCP.
In terms of the monitoring and control activities carried out by ANSPDCP, the main change observable in 2025 is the total number of fines imposed and their amount. Thus, according to the information in the “Brochure on the 20th anniversary of the establishment of the ANSPDCP, 2025” and the “Brochure dedicated to European Data Protection Day, 2026”, while in 2024, 83 fines were imposed for a total amount of RON 1,855,807, in 2025, 105 fines were imposed for a total amount of RON 2,565,020 (equivalent to EUR 511,400). Of these fines, 96 were applied under the GDPR and 9 fines were applied under Law 506/2004 (amounting to RON 187,000). As regards the total number of investigations, the data reflects a slight increase, with a total of 488 investigations finalised in 2025, compared to 476 investigations finalised in 2024.
According to information published on the ANSPDCP website, the main reasons that led to the application of sanctions in 2025 were:
- the lack of adequate and effective technical and organizational measures, the lack of periodic testing, which led to security incidents (e.g., in the form of unauthorized access to the personal data of the controller’s customers, cyber-attacks, unauthorized publication of data on a social network, unauthorized processing of data by an employee of the data processor);
- the failure by the controller to implement the measures necessary to ensure that any person acting under its authority and having access to data processes them only at the request of the controller;
- the lack of consent or of legal grounds (e.g., sending unsolicited commercial messages, publishing on a social media page);
- the processing of personal data through the use of body-cam audio-video surveillance devices (image, voice), without legal grounds and without complying with the rules of transparency towards the data subjects;
- implementing cookies on users’ equipment that were not technically necessary, without providing accurate and complete information and without obtaining the consent of relevant individuals;
- the processing of data through audio-video employee monitoring systems, in violation of the legality, fairness, and transparency requirements;
- the failure to observe the rights of data subjects (e.g., inadequate handling of requests to erase personal data, to object to processing, the failure to provide a complete response within the legal time limit to a data access request);
- the failure to inform individuals about data processing via a website;
- the failure to comply with data processing principles, which led to excessive processing for the intended purpose (e.g., using data to issue documents after the termination of the contractual relationship, unauthorized transmission of data concerning a former employee);
- the failure to cooperate with ANSPDCP by not communicating the information requested by the Authority within the scope of its legal investigative powers.