Home » Comunicat_Presa_10_04_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

10.04.2025

A new sanction for non-complying with the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in March 2025, an investigation at the controller Tensa Art Design S.A., owner of the website www.lensa.ro,  and found the breach of Article 6 paragraph (1) letter a) of Regulation (EU) 2016/679 (GDPR) and Article 12 paragraphs (1)-(4) in relation to Articles 15 and 17 of the same legal act.

As such, the controller was sanctioned as follows:

  • fine in the amount of 49,774 lei, the equivalent of 10,000 euros for the infringement of Article 6 paragraph (1) letter a) of the GDPR;
  • fine in the amount of 24,887 lei, the equivalent of 5,000 euros for the infringement of Article 12 paragraphs (1)-(4) in relation to Articles 15 and 17 of the GDPR.

The investigation was initiated as a result of the fact that a petitioner notified the National Supervisory Authority regarding the fact that the controller Tensa Art Design S.A., owner of the website www.lensa.ro, processed his telephone number for direct marketing purposes, without his consent, communicating commercial SMS messages through which the petitioner was informed about the company’s offers.

During the investigation, it was found that the controller S.C. Tensa Art Design S.A did not prove the existence of the petitioner’s consent for the processing of his personal data for direct marketing purposes, thus violating the provisions of Article 6 paragraph (1) letter a) of the GDPR.

It was also found that the controller did not properly manage the requests through which the petitioner exercised his rights of access and deletion provided for by the GDPR, the response received not being in accordance with the provisions of Article 12 paragraphs (1)-(4) of Regulation (EU) 2016/679, in relation to Articles 15 and 17 of the same legal act.

At the same time, pursuant to Article 58 paragraph (2) letters c) and d) of the GDPR, the controller Tensa Art Design S.A. was ordered to take the following corrective measures:

  • to ensure compliance with the GDPR of personal data processing operations, by adopting the necessary technical and organizational measures, including in terms of appropriate training of the personnel designated for this purpose, so that the processing of personal data for direct marketing purposes by sending commercial communications through electronic communications services intended for the public (such as telephone, SMS, e-mail) is carried out only on the basis of the valid express consent of the data subjects, obtained for this purpose;
  • to send a written response to the petitioner’s requests in accordance with the provisions of Articles 15 and 17 of the GDPR;
  • to ensure compliance with the GDPR of personal data processing operations, by adopting the necessary technical and organizational measures, including in terms of appropriate training of the personnel designated for this purpose, so that the operator is able to correctly receive, assess, handle and respond to all requests by which data subjects exercise their rights, within the deadlines and according to the conditions provided for in Articles 12-23 of the GDPR.

 

Legal and Communication Department

A.N.S.P.D.C.P