ANSPDCP – Court Ruling (Romania, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Romanian DPA issued a fine to a company (the controller) in April 2025 for the unlawful processing of its employees’ personal data via surveillance cameras in one of its storage facilities in violation of Article 5(1)(a) and (b) GDPR, Article 5(2) GDPR, Article 6(1) GDPR, and Article 5 Law no. 190/2018 (Legea nr. 190/2018). The controller appealed the DPA’s decision in court arguing, among other things, that the DPA failed to indicate the specific violation committed and the specific time and date. The controller asked the court to annul the DPA’s decision. The court found that the DPA failed to provide a concrete description of the violations committed by the controller. The court noted that the DPA’s decision only provided a generic mention that the personal data processing activities carried out by the controller were in breach of Article 5(1)(a) and (b) GDPR, Article 5(2) GDPR and Article 6(1) GDPR along with Article 5 Law nr. 190/2018. Furthermore, the court found that the DPA’s decision failed to identify and mention the exact date and context of the alleged unlawful processing activities. Instead, the decision only specified that the processing began in 2017. Therefore, the court upheld the controller’s appeal against the DPA’s decision and annulled said decision.
GDPR Articles Cited
National Law Articles
The Romanian DPA issued a fine to a company (the controller) in April 2025 for the unlawful processing of its employees’ personal data via surveillance cameras in one of its storage facilities in violation of Article 5(1)(a) and (b) GDPR, Article 5(2) GDPR, Article 6(1) GDPR, and Article 5 Law no. 190/2018 (Legea nr. 190/2018). The controller appealed the DPA’s decision in court arguing, among other things, that the DPA failed to indicate the specific violation committed and the specific time and date. The controller asked the court to annul the DPA’s decision. The court found that the DPA failed to provide a concrete description of the violations committed by the controller. The court noted that the DPA’s decision only provided a generic mention that the personal data processing activities carried out by the controller were in breach of Article 5(1)(a) and (b) GDPR, Article 5(2) GDPR and Article 6(1) GDPR along with Article 5 Law nr. 190/2018. Furthermore, the court found that the DPA’s decision failed to identify and mention the exact date and context of the alleged unlawful processing activities. Instead, the decision only specified that the processing began in 2017. Therefore, the court upheld the controller’s appeal against the DPA’s decision and annulled said decision.
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (3)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
Related Cases (0)
No other cases found for ANSPDCP in RO
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Ruling Date
10 December 2025
Authority
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
GDPRhub ID
gdprhub-court-9759About this data
Cite as: Cookie Fines. ANSPDCP - Romania (2025). Retrieved from cookiefines.eu
Last updated: