SYNOBIS MEDICAL S.R.L – €2,000 Fine (Romania, 2024)

The Romanian DPA was notified by a website user of possible data protection violations y SYNOBIS MEDICAL S.R.L., the controller. Upon investigation, the DPA found that it was impossible to enter the website of the controller without the users´ personal data being collected through cookies. Moreover, the data subject could not access their data. The DPA found that the controller was collecting and storing personal data that was collected, through cookies, from the users´ equipment without obtaining their express consent. Moreover, the controller did also not inform the users of the presence of said cookies, violating [https://www.dataprotection.ro/servlet/ViewDocument?id=173 Article 4(5) and 13(1)(i) Law 506/2004], Romanian law on the processing of personal data and protection of privacy in the electronic communications sector (implementation of the E-Privacy Directive). Moreover, the controller did not inform the data subject of whose personal data they collected, and processed through the website, violating Article 12 and 14 GDPR. Consequently, the DPA deemed it appropriate to impose a fine of RON 10,000 (€4,972) to the controller.