ANSPDCP – Court Ruling (Romania, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Romanian court annulled a decision by the data protection authority that fined a company for improperly using surveillance cameras on employees. The court found that the authority did not clearly explain what violations occurred or when they happened. This ruling highlights the importance of clear communication from regulators when enforcing data protection rules.
What happened
A Romanian company was fined for unlawfully processing employee data through surveillance cameras.
Who was affected
Employees whose personal data was recorded by surveillance cameras in the company's storage facility.
What the authority found
The court ruled that the data protection authority failed to provide specific details about the violations, leading to the annulment of the fine.
Why this matters
This case shows that companies can challenge fines if authorities do not clearly outline violations. It emphasizes the need for transparency from regulators in data protection enforcement.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The Romanian DPA issued a fine to a company (the controller) in April 2025 for the unlawful processing of its employees’ personal data via surveillance cameras in one of its storage facilities in violation of Article 5(1)(a) and (b) GDPR, Article 5(2) GDPR, Article 6(1) GDPR, and Article 5 Law no. 190/2018 (Legea nr. 190/2018). The controller appealed the DPA’s decision in court arguing, among other things, that the DPA failed to indicate the specific violation committed and the specific time and date. The controller asked the court to annul the DPA’s decision. The court found that the DPA failed to provide a concrete description of the violations committed by the controller. The court noted that the DPA’s decision only provided a generic mention that the personal data processing activities carried out by the controller were in breach of Article 5(1)(a) and (b) GDPR, Article 5(2) GDPR and Article 6(1) GDPR along with Article 5 Law nr. 190/2018. Furthermore, the court found that the DPA’s decision failed to identify and mention the exact date and context of the alleged unlawful processing activities. Instead, the decision only specified that the processing began in 2017. Therefore, the court upheld the controller’s appeal against the DPA’s decision and annulled said decision.
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (3)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
Related Cases (1)
Other cases involving ANSPDCP in RO
Similar Cases
Enforcement actions with similar violations
Details
Ruling Date
10 December 2025
Authority
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
GDPRhub ID
gdprhub-court-9759About this data
Cite as: Cookie Fines. ANSPDCP - Romania (2025). Retrieved from cookiefines.eu
Last updated: