TI – 9/2026

20 February 2026

Dt:

{{COURTdecisionBOX

|Case_Number_Name=9/2026
|ECLI=

|Date_Decided=12.01.2026
|Date_Published=
|Year=2026

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|Initial_Contributor=
|
}}

A court upheld the DPA’s decision to fine a website operator RON 20,286.80 (€4,000) for failing to inform users of the processing of their personal data via a contact form, as well as RON 30,000 (€6,000) for placing optional cookies on users’ devices without consent.

== English Summary ==

=== Facts ===
A politician, the operator of a website (the controller), appealed a DPA decision sanctioning him for the placement of optional cookies onto users’ devices when visiting his website, as well as for failing to inform data subjects of the processing of their personal data via the contact form available on the website.

The DPA sanctioned the controller a total of RON 50,286.80 (approximately €10,000) for breaching Article 4(5)(a) & (b) Romanian Law no. 506/2004 transposing e-Privacy Directive 2002/58 and [[Article 12 GDPR]], [[Article 13 GDPR]] and [[Article 14 GDPR]].

The controller claimed in its appeal that, among other things, the DPA failed to include in its decision the complete mandatory information prescribed by administrative law, that the cookies placed on the users’ devices were necessary, and that data subjects were informed of the processing activities on the website.

Therefore, the controller requested the annulment of the DPA decision.

=== Holding ===
The court dismissed the controller’s appeal.

It found that the website links directing to the privacy policy and information notice were not functional, but that they became functional following communications from the DPA to the controller.

Furthermore, the court noted that website users did not have a clear and visible way of providing consent to the use of cookies on the website.

Moreover, the court found that the DPA decision contained most of the necessary information required by law. The court noted that the missing information referred only to the objections of the controller. However, the court emphasised that such an omission did not require the annulment of the DPA decision, since the controller was able to raise his objections during the appeal.

Finally, the court emphasised the electoral context in which the violations occurred, pointing out that the increased danger for the unlawful processing of the personal data collected via the website at that time.

Therefore, the court dismissed the controller’s appeal and maintained the DPA’s decision in the case.

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

<pre>
ECLI Code ECLI:RO:TBILF:2026:018.######

File no. ####/93/2025
R O M Â N I A
COURT OF ILFOV
2ND CIVIL AND ADMINISTRATIVE AND TAX DISPUTE SECTION

CIVIL JUDGMENT No. #
Public hearing of 12 ######## 2026
Panel composed of:
PRESIDENT ######-#### #####
Clerk ####### ##### #####

The case of Administrative and tax dispute concerning the plaintiff ######### #####, in contradiction with the defendant NATIONAL SUPERVISORY AUTHORITY FOR THE PROCESSING OF PERSONAL DATA WITH ########, having as object “cancellation of administrative act, report no. 15820/26.06.2025”.
The debates took place in the public hearing on 04.12.2025, being recorded in the closing of the hearing from that date which is an integral part of this, when the court, needing time to deliberate and to give the parties the opportunity to submit written conclusions, postponed the ruling to 19.12.2025, to 29.12.2025 and to 12.01.2026, when it decided the following:

THE COURT

On the present case, finds the following:
By the summons filed with the Ilfov Court on 15.07.2025, the plaintiff ######### #####, in contradiction with the defendant NATIONAL SUPERVISORY AUTHORITY FOR THE PROCESSING OF PERSONAL DATA WITH ########, requested, mainly, the annulment of the report of finding/sanctioning no. 15820/26.06.2025 with the consequence of being exempted from paying the fines applied; in the alternative, replacing the sanction of the fines applied in the amount of 30,000 lei, respectively 20,286.80 lei with the sanction of a warning or reducing the fines applied; obliging the defendant to pay the court costs consisting of lawyer’s fees and judicial stamp duty.
The plaintiff showed that through the report of finding/sanctioning, unfoundedly, he was sanctioned in contravention by applying 2 contravention fines, one in the amount of 30,000 lei for the alleged violation of art. 4 para. 5 let. A and B of Law 506/2004, respectively another in the amount of 20,286.80 lei for the alleged violation of the provisions of art. 12-14 of EU Regulation 2016/279.
It showed that the illegality of the report lies in the defendant’s omission to mention the following mandatory information, namely: the date, time and place of the commission of the contravention; mentioning the court to which the complaint against the report of finding/sanctioning is filed; recording the identification data of the witness to attest to the drafting in absentia of the report, respectively the reasons that led to the drafting in absentia of the report.
Regarding the time and place of the alleged contravention, from the analysis of the contested report it can be observed that no mention is made regarding the time and place of the contravention, and regarding the date of the alleged contravention, the mentions in the report are clearly contradictory. The omission of mentioning the specific date of the commission of the contravention contravenes the legality requirements imperatively required by art. 16. paragraph 1 of OG 2/2001 and art. 23 paragraph 2 letter H of Decision ###/2018, in which context from this point of view it is considered that art. 17 OG 2/2001, which provides for the absolute nullity of the report, is incident.
The defendant’s omission to mention the court to which the contravention complaint is filed, entails the nullity of the report.
Another omission that entails the nullity of the report is the one relating to the mention of the identification data of the parent in the situation where the report is concluded in the absence of the contravener.
Regarding the groundlessness of the finding/sanctioning report, the plaintiff pointed out that its contents do not mention what personal data were collected given that Cookies are small text files whose main purpose is to improve the navigability of the site (with the aim of distinguishing between mobile, tablet, desktop – that is, to identify which category the user’s device belongs to so that the server can provide the appropriate site version for the user’s device), respectively to identify the number of users of a site, the latter being, in reality, a cookie generally used by Google to (show in) Google Search Console the number of visitors. In turn, Cookies that aim to improve the functionality of a site are absolutely necessary cookies, generally used by Google, cookies without which it would be impossible to load (access) the internet pages. Thus, these cookie hp are preset by Google and are taken over word by word by the platforms on which the sites are created, in this case WordPress. Therefore, personal data such as name, surname, email, etc. cannot be collected through Cookies. He also pointed out that Law No. 506/2004 on the basis of which he was sanctioned is not applicable to individuals, but exclusively to communication service providers.
The minutes on page 3 acknowledge the existence of the privacy policy and the disclaimer regarding the use of the site, as well as the checkboxes required to send the message, but the unfounded mention is made that these are not functional and it omits both the mention that without selecting the checkboxes the message cannot be sent, and the fact that in the content of the form the fields for the name and surname were optional in the context in which they could or could not be completed by the site visitor (in over 90% of cases they were not completed). Regarding the alleged non-functionality of the information note and the privacy policy, it was found that the defendant’s assessment is unfounded, because even in the context presented in annexes 7 A and 7 B, the respective pages were functional.
As for the form of guilt of the alleged contraventions, the plaintiff showed that the alleged non-functionalities of the site were completely unrelated to his intention, meaning that at most the slightest fault can be held in committing these acts. On the other hand, even in the content of the report, it is mentioned that the alleged acts were committed out of negligence.
##### considering that the alleged acts committed present a reduced social danger, it was considered that it is necessary to replace the fine with a warning or reduce the fines applied to the special minimum provided for by law.
In law, the provisions of art. 17 para. 1 of Law 102/2005, respectively art. 31 para. 1 and art. 32 para. 1 of OG2/2001, as well as the rest of the legal provisions invoked herein.
On 22.08.2025, the defendant filed a response requesting the rejection of the complaint as unfounded and unfounded.
The defendant indicated that, on 06.12.2024, it received from the National Authority for Administration and Regulation in Communications a notification from an individual regarding a possible violation of the provisions of the legislation in the field of personal data protection, namely that the website https://calingeorgescu.ro/ does not comply with the provisions of the legislation in force regarding the protection of personal data and the use of cookies, as it does not have a clear and visible cookie policy implemented, according to Regulation (EU) 2016/679 (hereinafter GDPR) and the ePrivacy Directive, this affecting the users’ right to information and consent regarding the collection and use of their personal data.
Following the checks carried out on the website https://calingeorgescu.co/ by the representatives of the ANSPDCP, it was found that the claims of the petitioner are confirmed.
Thus, upon accessing the site https://calingeorgescu.ro/ on 11.12.2024, it was found that there was no information and a clear way to obtain consent regarding the collection and processing of personal data through cookies, although the operator had this obligation before installing them in the user’s terminal according to art. 4 para. (5) of Law no. 206/2004.
#### of the legal provisions in force and the facts established, committed by the plaintiff, the defendant emphasized that his claims regarding the invocation of the nullity of the minutes, for the violation of the provisions of art. 16, 17 and 19 of OG no. 2/2001, with subsequent amendments and additions, cannot be retained. The plaintiff had the obligation to comply with the provisions of Law no. 506/2004 and was rightly sanctioned for the violation of the provisions of art. 4 para. (5) letters a and b of Law no. 506/2004.
The defendant also indicated that the reduction of the fine requested by the plaintiff or even changing the sanction to a warning would be likely to encourage the plaintiff’s behavior in violation of data protection rules, especially since, as he claims, he implemented the GDPR and was, therefore, not only obliged to respect and know this normative act but also to correctly apply the provisions of the Regulation.
In law, art. 205 Cpc, Law no. 102/2005, Regulation (EU) 2016/679, Law no. 506/2004, Law no. 554/2004, OUG no. 80/2013, Regulation on the organization and functioning of the National Supervisory Authority, Decision of the President of ANSPDCP no. 161/2018.
In terms of evidence, the Court approved the documentary evidence for the parties.
Analyzing the documents and papers of the file, the Court notes the following:
By the report of finding/sanctioning no. 15820 of 26.06.2025 (pages 87-94), the petitioner ######### ##### was sanctioned with a fine in the amount of 30,000 lei for violating art. 4 para. (5) let. a) and b) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, pursuant to art. 13 para. (1) let. i) and art. 13 para. (2) of Law no. 506/2004, in conjunction with art. 5 para. (2) let. b) and art. 8 of OG no. 2/2001, respectively with a fine in the amount of 20,286.8 lei, the equivalent of 4,000 euros according to the NBR exchange rate of 26.06.2025, 15:00, for violating the provisions of art. 12-14 of the GDPR, pursuant to art. 58 para. (2) let. i) of the GDPR, in conjunction with art. 83 para. (5) let. b) of the GDPR, in relation to art. 15 para. (1) and para. (6) of Law no. 102/2005, republished, as well as to art. 12 of Law no. 190/2019, in conjunction with art. 8 of OG no. 2/2001.
In fact, on 26.06.2025, the following facts were noted, being ascertained at the respondent’s headquarters on the date of conclusion of the minutes:
1.###### ##### ######### violated the provisions of art. 4 para. (5) let. a) and b) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, as amended and supplemented, because it allowed the storage of information and access to information stored on users’ equipment when accessing the site https://calingeorgescu.ro/ by installing cookies that are not technically necessary, without complying with the legal conditions regarding the prior obtaining of express consent and without informing users, starting with 06.12.2024 and until 03.04.2025, according to the findings in the report, the act constituting the contravention provided for in art. 13 para. (1) of Law no. 506/2004, with subsequent amendments and supplements.
2.###### ##### ######### violated the provisions of art. 12-14 of the GDPR, because it did not provide information to the data subjects whose categories of personal data were collected and processed through the contact form (surname, first name, email, telephone number), available on the website https://calingeorgescu.ro/, starting with 06.12.2024 and until 03.04.2025, the act constituting the contravention provided for by art. 12 of Law no. 190/2018 in relation to the provisions listed in art. 83 para. (5) letter b) of the GDPR.
Following a notification dated 02.12.2024, registered with the respondent under no. 22578 of 06.12.2024, verifications were carried out, holding that the notified aspects are confirmed.
Thus, upon accessing the site https://calingeorgescu.ro/, on 11.12.2024, it was found that there was no information and a clear way to obtain consent regarding the collection and processing of personal data through cookies, although the operator had this obligation before installing them in the user’s terminal according to art. 4 para. (5) of Law no. 506/2004.
At the time of accessing the site, the following types of cookies were installed in the user’s terminal: VISITOR_INFO1_LIVE, VISITOR_PRIVACY_METADATA, YSC_ga, ga_4V9F8WVDPT, AEC, CONSENT, NID, ####, as shown in the Annex to the minutes.
Also, on the website https://calingeorgescu.ro/, in the Contact section, there was a form through which the following personal data were collected: name, surname, email, telephone and message. Under this form there were two checkboxes that had to be checked: “I have read and agree to the #### information – SEE HERE” and “I have read and accept the Agreement on the processing of personal data – SEE HERE”, but the two links were not functional, as shown in the Annex to the minutes.
Thus, by address no. 1615 of 29.01.2025, to the address sent by email to the address #########################, indicated on the website https://calingeorgescu.ro/ – contact section, the respondent requested information from the petitioner, regarding the personal data collected, the way in which site visitors can reject or select which cookies can be installed, about their use and for what purposes, the periods of storage of information, the way in which individuals are informed and the exercise of rights, as well as regarding the security measures and confidentiality of the processing of personal data of individuals.
The respondent noted that no response was communicated, retransmitting the address on 25.02.2025.
Following the steps taken by the respondent, it was communicated that the holder of the right to use the site domain is the petitioner in this case.
Further, following the re-verification of the site on 12.03.2025, it was found that the “#### information” and “Agreement regarding the processing of personal data” became functional after the transmission and receipt of address 1615 of 29.01.2025, but a clear and visible way to obtain consent regarding the processing of personal data through cookies was not available.
By address no. 5409 of 18.03.2025, address no. 1615 of 29.01.2025 was retransmitted, by written mail, with confirmation of receipt, the petitioner communicating a response, included in the report of the contravention.
Taking this into account, on the date of the inspection, 26.06.2025, the inspection team found that the owner of the calingeorgescu.ro domain is Mr. ##### #########, a natural person, and through the website https://calingeorgescu.ro/, personal data were processed, starting with 06.12.2024 and until 03.04.2025, through cookies, without cumulatively fulfilling the provisions of art. 4 paragraph. (5) of Law no. 506/2004.
Following the receipt of address 1615 of 29.01.2025, it was noted that the operator had implemented the provisions of art. 4 paragraph. (5) of Law no. 506/2004 regarding the use of cookies on the website https://calingeorgescu.ro/.
#### in response address no. 6881 of 03.04.2025, Mr. ##### ######### mentions that “I was not aware of the information request address” since the address ####################### is not the electronic correspondence address, he indicates it in the Privacy Policy, at point 8 of the response address, as the way in which the rights of the data subjects are allowed to be exercised by sending a request to the dedicated e-mail address #############################.
It was noted that Mr. ##### ######### did not comply with the provisions of Law no. 506/2004, amended and supplemented, in conjunction with those of the GDPR, regarding the use of cookies on the website https://calingeorgescu.ro/, by not providing clear and complete information, in accordance with the provisions of art. 13 of the GDPR, regarding the purpose for which he uses cookies or access to the information stored by them.
At the same time, Mr. ##### ######### did not make available the user/visitor a “Refusal” button that would allow him/her to access the website https://calingeorgescu.ro/ without storing cookies that are not technically necessary, in violation of the provisions of Law no. 506/2004, as amended and supplemented, according to which the storage of information or obtaining access to information stored in the terminal equipment of a subscriber or user is permitted only with the cumulative fulfillment of the conditions set out in art. 4 para. (6) let. a) and b) of Law no. 506/2004. It did not ensure complete information of the data subjects whose categories of personal data were collected and processed through the contact form (surname, first name, email, telephone number), available on the website https://calingeorgescu.ro/ starting with 06.12.2024 and until 03.04.2025.
On the date of the conclusion of the contravention report, 26.06.2025, the owner of the calingeorgescu.ro domain, respectively the petitioner, did not implement, in accordance with Law no. 506/2004, the minimum mandatory requirements provided for in art. 4 para. (5) let. a) and b) of Law no. 506/2004, according to the printscreen.
As a preliminary matter, the Tribunal notes that according to art. 19 para. 2 of Law no. ######## to the extent that this law does not provide otherwise, the determination and application of contravention sanctions are carried out in compliance with Government Ordinance no. 2/2001 on the legal regime of contraventions, with subsequent amendments and additions.
In this case, the Tribunal notes that grounds for nullity of the contravention report were invoked, which appear to be unfounded, and at the same time no grounds for nullity were observed that could be invoked ex officio.
Thus, the cases of absolute nullity are strictly and restrictively provided for, and are found only in the content of art.17 of OG 2/2001, in all other situations only relative nullity can occur, and in order to order the cancellation of the report of the finding of the contravention, it is necessary for the petitioner to prove that this violation caused him an injury that can only be removed by canceling the report.
According to art. 17 of OG no. 2/2001: “###### the mentions regarding the name, surname and capacity of the ascertaining agent, the name and surname of the contravener, and in the case of a legal person the lack of its name and headquarters, of the act committed and the date of its commission or of the signature of the ascertaining agent entails the nullity of the report”.
However, the court finds that there is no case of absolute nullity of the contravention report, the act being at the same time described appropriately and allowing the court to fully analyze the situation, in fact and in law.
Regarding the petitioner’s criticism regarding the witness assistant, the court notes that according to art. 19 paragraph 1 of OG 2/2001, if the contravener is not present, refuses or cannot sign, the witness shall mention these circumstances, which must be confirmed by at least one witness. Therefore, the role of the witness assistant is to ensure the conformity of the conclusion of the report, and not to prove the factual situation described in the report of finding and sanctioning the contravention.
Regarding the petitioner’s criticism that the contravention report was concluded in his absence, and the witness did not allow him to exercise his right to mention all the objections he had, according to art. 16 paragraph 7 of O.G. no. 2/2001, at the time of concluding the report, the ascertaining agent is obliged to inform the offender of his right to object to the content of the ascertaining act. Objections are recorded separately in the report under the heading “#### mentions”, under penalty of the nullity of the report. Since it is a relative nullity, the damage must not be removed in any other way than by annulling the act. In this regard, by decision of the High ##### of Cassation and Justice no. XXII of 19.03.2007, the appeal request was resolved in the interest of the law and it was established that in application of the provisions of art. 16 paragraph 7 of O.G. no. 2/2001, failure to comply with the requirements set out in art. 16 paragraph 7 of the aforementioned normative act entails the relative nullity of the report establishing the contravention.
In the present case, the court finds that it is not necessary to annul the act for this reason, because the damage can be removed by presenting objections in the present civil proceedings, which was done from the moment the contravention complaint was filed, being analyzed by the court.
With regard to the other dates to which the petitioner refers in his criticism regarding the illegality of the minutes, the Court notes that, in this case, all aspects relating to the date, time and place of the commission of the contravention were recorded, namely, it must be taken into account that the act occurred in the online environment and was ascertained on 26.06.2025, having a continuous nature, namely starting with 06.12.2024 and until 03.04.2025.
It will remove the petitioner’s claims that the daily violation of the legal provisions regarding the processing of personal data had to be demonstrated, compared to the continuous nature of the contraventions, the burden of proof in this regard being on the petitioner, in the sense of the existence of a material act subsumed under a manifestation of will, in the sense of modifying the site settings in relation to the privacy policy.
However, the petitioner did not provide this evidence, according to the provision of art. 249 of the Code of Civil Procedure, and the respondent, on the contrary, verified at various time intervals, mentioned and described in the contravention report, the manner in which the processing of personal data and the protection of privacy are carried out when accessing the site owned by the petitioner.
Also, the contravention report was concluded at the respondent’s headquarters, taking into account that the investigation was conducted in writing.
With regard to the petitioner’s criticism regarding the intervention of the statute of limitations, the Court finds that it is unfounded, in view of the provisions of art. 15 paragraph (4) of Law no. 102/2005: “The sanctions provided for in paragraph (1) may be applied within 3 years from the date of the commission of the act. In the case of violations that last over time or those consisting of the commission, based on the same resolution, at different intervals of time, of several actions or inactions, each of which presents the content of the same contravention, the statute of limitations begins to run from the date of the finding or from the date of the cessation of the last act or act committed, if this moment occurs prior to the finding.”
Or, as the respondent also claims, these special regulations apply not only in the case of violation of the provisions on the GDPR, but also in the case of acts found to have been committed under Laws no. 506/2004 and Law no. 363/2018.
With regard to the petitioner’s criticism regarding the lack of mention of the court to which the contravention complaint must be filed, the Court notes that the petitioner did not provide evidence of any damage, the appeal being filed with the competent court according to the legal provisions, within the time limit provided by law.
With regard to the merits, the Court notes that the evidentiary power of the minutes of finding and sanctioning the contravention, although not provided for by O.G. 2/2001, is left to the judge’s discretion, (arts. 250 and 264 paragraph 2 and 329 paragraph 2 of the NCPC) having the probative value of a probative act reconstructed, making the evidence until proven otherwise.
In the case of ######## ######## against Romania (application no. 23470/05), similar to the case of ###### against Romania, the European Court found compliance with Article 6 of the Convention, the applicant having the possibility within the domestic procedure to present evidence to overturn the relative presumption from which the contested report “benefited”, according to the national legislation.
Therefore, the Court does not remove the presumption of legality of the report from the Romanian contravention procedure, but imposes the balance that must exist between the presumption of innocence specific to the matter and the presumption of legality and validity of the contravention report.
In the contravention procedure provided for by OG no. 2/2001, the challenger has the possibility to remove this presumption of unfoundedness of the process by administering certain and conclusive evidence, in accordance with the provisions of Art. 249 C.proc.civ..
The petitioner did not present a rational explanation of the reason why the agent would have drawn up the report recording an unreal situation, in order to raise a doubt regarding its objectivity, nor did he prove the existence of a cause exonerating from liability, according to art. 11 of O.G. no. 2/2001, so that the report is legal and sound.
The principles related to the processing of ######## Personal Data are established in art. 5 of the GDPR, as follows:
“(1) ######## Personal Data are:
a) processed legally, fairly and transparently towards the person concerned (“legality, fairness and transparency”);
b) collected for specific, explicit and legitimate purposes and are not subsequently processed in a manner incompatible with these purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered incompatible with the initial purposes, in accordance with Article 89(1) (‘purpose limitation’);
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“Data minimisation”);
d) accurate and, where necessary, kept up to date; all necessary steps must be taken to ensure that ######## Personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; Personal data may be stored for longer periods insofar as they will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures provided for in this Regulation to safeguard the rights and freedoms of the data subject (“storage limitations”);
f) processed in a manner that ensures adequate security of Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, by taking appropriate technical or organisational measures (“integrity and confidentiality”).
(2) The controller is responsible for compliance with paragraph (1) and can demonstrate this compliance (“accountability”)”.
The legal basis for processing ######## Personal Data is provided by Art. 6 of the GDPR. Thus, according to Art. 6 para. (1) of the aforementioned normative act “Processing is lawful only if and to the extent that at least one of the following conditions applies:
(a) the data subject has given consent to the processing of his or her ######## Personal Data for one or more specific purposes;
(b) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) the processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) the processing is necessary to protect the vital interests of the data subject or of another natural person;
(e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. which the operator is vested with;
(f) processing is necessary for the purposes of the legitimate interests pursued by the operator or by a third party, except where the interests or fundamental rights and freedoms of the data subject prevail, which require the protection of ######## Personal Data, in particular where the data subject is a child”.
Thus, the respondent directly ascertained, through the competent personnel with control responsibilities, that, upon accessing the site https://calingeorgescu.ro/, on 11.12.2024, it was found that there was no information and a clear way to obtain consent regarding the collection and processing of personal data through cookies, although the operator had this obligation before installing them in the user’s terminal according to art. 4 paragraph. (5) of Law no. 506/2004.
At the time of accessing the site, the following types of cookies were installed in the user’s terminal: VISITOR_INFO1_LIVE, VISITOR_PRIVACY_METADATA, YSC_ga, ga_4V9F8WVDPT, AEC, CONSENT, NID, ####, as shown in the Annex to the minutes.
However, all these cookies have the ability to collect personal data, in particular: online identifiers (cookie ID, user ID), usage and behavior data, preferences, approximate location, consent data, it being irrelevant in the case which personal data was actually collected, the installation of cookie modules that are not technically necessary being sufficient in itself.
Thus, cookie modules are small text files that are downloaded to the memory of a computer or other such device, the website transmits information to the browser, and each time the user accesses the respective website again, the browser accesses and transmits this text file to the website server.
As the respondent claims, art. 4.1.2 of Opinion no. 1/2008 states that “Where a cookie contains a unique user ID, this ID clearly constitutes personal data. The use of persistent cookies or similar devices with a unique user ID allows the tracking of users of a particular computer even if dynamic IP addresses are used.
At the same time, Decision no. ##/2015 of the Constitutional Court ruled that the IP address of a website user is personal data.
The Court notes that the petitioner has not proven the erroneous or unfounded nature of the findings of the respondent’s agents, made ex propriis sensibus, given that the existence of the cookies modules is fully proven and results even from the attached photo sheets of the contravention report.
In this case, the petitioner could have requested a computer expertise to provide evidence contrary to those contained in the contravention report, an aspect not fulfilled in the present case, in reality the petitioner limiting himself only to contesting the veracity of what was observed during the frequent checks carried out by the respondent’s agents, throughout the incriminated period, namely starting with 06.12.2024 and until 03.04.2025.
The Court is to dismiss the petitioner’s claims that the legal provisions do not apply to him, being a natural person, given that art. 4 of the GDPR defines the notion of “controller”, namely the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; when the purposes and means of the processing are established by Union law or national law, the controller or the specific criteria for his designation may be provided for in Union law or national law.
Regarding the invocation of the inapplicability of Law no. 506/2004, the Court notes that the provision of art. 1 paragraph (3) of Law no. 506/2004 states: “The provisions of this law are supplemented by the provisions of Law no. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data”, and following the repeal of Law no. 677/2001, all references to this law shall be interpreted as references to the GDPR, the relevant provisions of which are cited above, thus retaining the status of the petitioner as operator.
Thus, the provisions of Law no. 506/2004 apply to all activities involving the provision of electronic communications services, regardless of the status of the person performing it, whether a natural or legal person.
It is not relevant in the present case when the petitioner actually became aware of the content of the respondent’s address, given that this aspect does not influence the contravention liability nor the aspects of legality and validity retained in the contravention report.
On the other hand, the petitioner himself mentioned in the response address no. 6881/03.04.2025 that the method by which the rights of the data subjects are allowed to be exercised is #########################, also used by the respondent for correspondence with the petitioner.
Also, on the website https://calingeorgescu.ro/, in the Contact section, there was a form through which the following personal data was collected: name, surname, email, telephone number and message. Under this form there were two checkboxes that had to be checked: “I have read and agree to the #### information – SEE HERE” and “I have read and accept the Agreement on the processing of personal data – SEE HERE”, but the two links were not functional, as shown in the Annex to the minutes.
The defendant’s agents personally found that the browser completely refused the connection, and the “learn more” link could not have led to the content of the page, but to the Mozilla technical documentation.
The fact that the errors existed and persisted throughout the period under review is also confirmed by their remediation, the links becoming functional, namely those leading to the information note and the processing agreement, confirming the existence of the contravention for the entire previous period.
It does not appear that the communication of personal data was carried out with the express consent of the users, as there is no evidence in this regard, although the burden of proof lies with the petitioner in this regard. Thus, there is no evidence of the existence of a “Refusal” button that would allow access to the site without storing cookies that are not technically necessary.
The Court cannot accept the applicant’s claim that he had obtained the consent of the data subjects for the processing of the data, the fact that the fields dedicated to the surname and first name in the contact form were optional, not being in itself relevant to reach such a conclusion.
Thus, according to art. 4 paragraph (5) of Law no. 506/2004, “The storage of information or obtaining access to information stored in the terminal equipment of a subscriber or user is permitted only with the cumulative fulfillment of the following conditions:
a) the subscriber or user in question has expressed his consent;
b) the subscriber or user in question has been provided, prior to expressing his consent, in accordance with the provisions of art. 12 of Law no. 677/2001, as subsequently amended and supplemented, with clear and complete information which:
(i) is presented in an easily understandable language and is easily accessible to the subscriber or user;
(ii) include information on the purpose of processing the information stored by the subscriber or user or the information to which he has access.
If the provider allows third parties to store or access information stored in the subscriber or user’s terminal equipment, the information in accordance with points (i) and (ii) shall include the general purpose of the processing of such information by third parties and the manner in which the subscriber or user may use the settings of the internet browser application or other similar technologies to delete the stored information or to deny third parties access to such information.”
Also, recital (32) of EU Regulation No. 2016/679 provides that the existence of consent should be granted by an unequivocal action, an aspect not fulfilled in this case.
Thus, it was correctly held that the petitioner violated the provisions of art. 4 para. (5) letters a) and b) of Law No. 506/2004.
It was correctly held that the provisions of art. 12-14 of EU Regulation No. 2106/679 were violated, the petitioner not ensuring information to the data subjects whose categories of personal data were collected and processed.
As the respondent also claims, it cannot be a question of data processing carried out within the framework of an exclusively personal activity, the Regulation being applicable to controllers or persons empowered by controllers who provide the means of processing personal data for personal or domestic activities.
However, given the petitioner’s claims that the contact form was only a way to receive the support of the sympathetic electorate and to respond to their social needs, and on the mentioned website there were consent checks for the processing of personal data, it therefore results that the petitioner assumed the capacity of operator, being the offence report also valid in this respect.
For all these reasons, the Court holds that the petitioner did not provide evidence contrary to those retained by the investigating officer, although the burden of proof fell on him, according to art. 249 of the Code of Civil Procedure, which is why it will retain the legality and validity of the contested report.
Regarding the individualization of the sanction, the following are noted:
According to art. 21 of OG no. 2/2001, the sanction is applied within the limits provided by the normative act and must be proportional to the degree of social danger of the act committed, taking into account the circumstances in which it was committed committed the act, the manner and means of committing it, the purpose pursued, the consequence produced as well as the personal circumstances of the offender and the other data recorded in the report.
According to art. 7 paragraph 2 of O.G. no. 2/2001, the warning is applied if the act is of low gravity.
In the present case, compared to the gravity of the acts held against her, the court considers that the fine imposed is proportional considering that the applicant had the obligation to ensure the protection of ######## Personal Data which constitutes a fundamental right, Article 8 paragraph (1) of ##### Fundamental Rights of the European Union and Article 16 paragraph (1) of the Treaty on the Functioning of the European Union (TFEU) regulating the right of any person to the protection of ######## Personal Data concerning him.
Last but not least, the Court notes that the contraventional acts found are of particular gravity, the need to protect personal data being all the more relevant since the social electoral context at that time, the at least hypothetical danger of using personal data for this purpose, corroborated by the considerable duration of the violation of rights, the number of potentially targeted persons who accessed the site during the reference period, all these aspects fully justify the application of the sanction of the contravention fine, in the amount established by the respondent’s agents.
For these reasons, the Tribunal holds that the contravention fine applied is proportional to the seriousness of the act committed.
Therefore, for the reasons stated, the Tribunal is to reject the contravention complaint filed, as unfounded.

FOR THESE REASONS,
IN THE NAME OF THE LAW
RULES:

Rejects the complaint concerning the plaintiff ######### #####, residing in Mogoşoaia, #### # ####### ######## ########## ########## ########## ########## ########## ########## ########## ########## ########## ########## ########## ###### #### ##### #######, IC Boulevard ######## no. 16-18, ####, ### #, sector 5, in contradiction with the defendant NATIONAL SUPERVISORY AUTHORITY FOR THE PROCESSING OF DATA WITH ######## PERSONAL, with headquarters in Bucharest, sector 1, B-dul G-ral ######## #######, no. 28-30, as unfounded.
With appeal within 30 days from communication.
##### of appeal is filed with the Ilfov Court.
Pronounced today, 12.01.2026, by making the solution available to the parties through the court registry.

President,
######-#### #####

Clerk,
###### ##### #####

Draft document – ##### ##
Redact.- ###: A.R.D.- 4 ex./28.01.2026
Communiqué 2 copies/28.01.2026
</pre>

EDPB identifies challenges hindering the full implementation of the right to erasure

Transposing EU Directives on Equality Bodies’ Standards