Dt: Created page with “{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=30.01.2026 |ECLI= |Original_Source_Name_1=ANSPDCP |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_30.01.2026&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language…”
|Jurisdiction=Romania
|DPA-BG-Color=background-color:#ffffff;
|DPAlogo=LogoRO.jpg
|DPA_Abbrevation=ANSPDCP
|DPA_With_Country=ANSPDCP (Romania)
|Case_Number_Name=30.01.2026
|ECLI=
|Original_Source_Name_1=ANSPDCP
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_30.01.2026&lang=ro
|Original_Source_Language_1=Romanian
|Original_Source_Language__Code_1=RO
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Complaint
|Outcome=Upheld
|Date_Started=
|Date_Decided=
|Date_Published=30.01.2026
|Year=
|Fine=50,890
|Currency=RON
|GDPR_Article_1=Article 5 GDPR
|GDPR_Article_Link_1=Article 5 GDPR
|GDPR_Article_2=Article 6 GDPR
|GDPR_Article_Link_2=Article 6 GDPR
|GDPR_Article_3=Article 9 GDPR
|GDPR_Article_Link_3=Article 9 GDPR
|GDPR_Article_4=Article 10 GDPR
|GDPR_Article_Link_4=Article 10 GDPR
|GDPR_Article_5=Article 12 GDPR
|GDPR_Article_Link_5=Article 12 GDPR
|GDPR_Article_6=Article 12(3) GDPR
|GDPR_Article_Link_6=Article 12 GDPR#3
|GDPR_Article_7=Article 12(4) GDPR
|GDPR_Article_Link_7=Article 12 GDPR#4
|GDPR_Article_8=Article 13 GDPR
|GDPR_Article_Link_8=Article 13 GDPR
|GDPR_Article_9=Article 14 GDPR
|GDPR_Article_Link_9=Article 14 GDPR
|GDPR_Article_10=Article 17(1) GDPR
|GDPR_Article_Link_10=Article 17 GDPR#1
|GDPR_Article_11=Article 83(5)(e) GDPR
|GDPR_Article_Link_11=Article 83 GDPR#5e
|GDPR_Article_12=
|GDPR_Article_Link_12=
|GDPR_Article_13=
|GDPR_Article_Link_13=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Initial_Contributor=
|
}}
The DPA fined a website operator a total of RON 50,890 (€10,000) for illegally publishing the personal data of alleged scammers, for failing to provide information to data subjects, to comply with a request for erasure, and to respond to the DPA’s inquiry.
== English Summary ==
=== Facts ===
The DPA launched an investigation into a natural person (the controller) operating the website evita-teparii.ro following two complaints alleging that the website published identity cards containing personal data.
Moreover, the complaints alleged a failure to respond to an erasure request and the publishing of libelous information on the website regarding one of the complainants.
Furthermore, the complaints emphasised that the website was missing identification information regarding the operator and other required information in accordance to the GDPR.
=== Holding ===
Firstly, the DPA noted the failure of the controller to respond to its inquiries. Therefore, the DPA fined the controller RON 5,089 (€1,000) based on [[Article 83 GDPR#5e|Article 83(5)(e) GDPR]].
Secondly, the DPA found that the controller published personal data without a legal basis, illegally processing the personal data of natural persons and publishing libelous allegations about them. Moreover, the DPA found that the controller processed illegally special categories of personal data, specifically data concerning a natural person’s sex life and data referring to a possible criminal conviction.
Therefore, the DPA fined the controller RON 25,455 (€5,000) for infringements of [[Article 5 GDPR|Article 5 GDPR]], [[Article 6 GDPR|Article 6 GDPR]], [[Article 9 GDPR|Article 9 GDPR]] and [[Article 10 GDPR|Article 10 GDPR]].
Thirdly, the DPA noted that the controller failed to provide correct, complete and transparent information to data subjects, and to respect and facilitate the exercise of the rights of the data subjects. Thus, the DPA fined the controller RON 15,267 (€3,000) for breaching [[Article 12 GDPR|Article 12 GDPR]], [[Article 13 GDPR|Article 13 GDPR]], and [[Article 14 GDPR|Article 14 GDPR]].
Fourthly, the DPA found that the controller failed to respond to and to comply with the data subject’s erasure request. Therefore, the DPA fined the controller RON 5,089 (€1,000) for the infringement of [[Article 12 GDPR#3|Article 12(3) GDPR]], [[Article 12 GDPR#4|Article 12(4) GDPR]], and [[Article 17 GDPR#1|Article 17(1) GDPR]].
Finally, the DPA ordered the controller to bring its processing activities into compliance with the provisions of the GDPR.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
<pre>
30.01.2026
Fines for violation of the GDPR
The National Supervisory Authority for Personal Data Processing completed, in January 2026, an investigation into a natural person operator and found a violation of the provisions of art. 83 paragraph (5) letter e), art. 5, art. 6, art. 9, art. 10, art. 12 – art. 14, art. 12 paragraphs (3) – (4), art. 17 paragraph (1) of Regulation (EU) 679/2016.
As such, the operator was sanctioned with:
– a fine in the amount of 5,089 lei, (the equivalent of 1,000 euros) for the violation of art. 83 paragraph (5) letter e) of Regulation (EU) 679/2016.
– fine in the amount of 25,445 lei, (equivalent to 5,000 euros) for violating the provisions of art. 5, art. 6, art. 9, art. 10 of Regulation (EU) 679/2016.
– fine in the amount of 15,267 lei, (equivalent to 3,000 euros) for violating the provisions of art. 12-14 of Regulation (EU) 679/2016.
– fine in the amount of 5,089 lei, (equivalent to 1,000 euros) for violating the provisions of art. 12 paragraphs (3) and (4) and art. 17 paragraph (1) of Regulation (EU) 679/2016.
The investigation was initiated following two complaints, which claimed that identity cards containing personal data were published on the website evita-teparii.ro, owned by a natural person operator. At the same time, the lack of a response to the request to delete personal data belonging to a natural person and defamatory posts about him was also complained about. It was also complained that the website owned by the operator does not contain the identification information of the operator who owns the website nor other mandatory information provided for by Regulation (EU) 679/2016.
During the investigation, it was found that the operator, owner of the website evita-teparii.ro, did not respond and provide the information that the National Supervisory Authority requested in order to fulfill its investigative powers established by the Regulation, which constitutes a violation of the provisions of art. 83 para. (5) lit. e) in relation to art. 58 par. (1) of Regulation (EU) 679/2016.
At the same time, it was found that the operator processed personal data without legal basis and without complying with the processing principles established by the Regulation, natural persons whose data were processed illegally, were denigrated and considered “debtors”/”scammers”, which represents a violation of the provisions of art. 5 and art. 6 of Regulation (EU) 679/2016.
Also, the operator illegally processed special categories of data, namely data regarding the sexual life of a natural person, as well as data relating to a possible criminal conviction, which represents a violation of articles 9 and 10 of Regulation (EU) 2016/2016.
Thus, by way of example, we mention that personal data such as: name, surname, image (photos), mobile phone numbers, e-mail addresses, data regarding professional activity, data regarding alleged criminal convictions and regarding private life were illegally processed and disclosed.
At the same time, it was found that the operator processed the personal data of natural persons (data subjects) considered “debtors”/”debtors”, on the website evita-teparii.ro, without ensuring correct, complete and transparent information for the data subjects and without facilitating and effectively respecting the rights of the data subjects provided for in art. 12-14 of the GDPR.
Also, during the investigation, it was found that the operator did not respond to the data subject’s request to delete his/her personal data from the website owned by the operator nor did it take measures to delete his/her data, which represents a violation of the provisions of art. 12 para. (3)-(4) and art. 17 par. (1) of Regulation (EU) 679/2016.
In order to ensure compliance with the Regulation, the National Supervisory Authority also applied the following corrective measures to the operator:
– to ensure compliance with Regulation (EU) 679/2016 of the personal data processing operations collected and processed through the evita-teparii.ro website, by reporting to the provisions of art. 5, art. 6, art. 9, art. 10 of Regulation (EU) 679/2016, with the transmission to ANSPDCP of the resulting analysis and the measures adopted.
– to ensure compliance with Regulation (EU) 679/2016 of the personal data processing operations collected and processed through the evita-teparii.ro website, in the sense of informing the data subjects and respecting their rights, by reporting to the provisions of art. 12-22 of the Regulation.
– to comply with the request of the data subject requesting the deletion of his/her data and to respond to it.
Legal and Communication Department
A.N.S.P.D.C.P
</pre>