The National Supervisory Authority for Personal Data Processing completed, in June 2025, an investigation at the controller Georgescu Călin, during which a violation of the provisions of Article 4 paragraph (5) letters a) and b) of Law no. 506/2004 and of Articles 12-14 of Regulation (EU) 2016/679 was found.

As such, the controller was sanctioned as follows:

fine of 30,000 lei for the infringement of provisions of Article 4 paragraph (5) letters a) and b) of Law no. 506/2004;
fine of 20,286.80 lei (equivalent of 4,000 euros) for the infringement of Articles 12-14 of Regulation (EU) 2016/679.

The investigation was initiated following a complaint reporting a possible violation of Regulation (EU) 2016/679.

During the investigation it was found that, during the period 06.12.2024 - 03.04.2025, when accessing the controller’s website, it was possible to store and access information stored on users’ equipment, by installing cookies, without obtaining the users’ express consent in advance and without them being informed, in accordance with the provisions of Article 4 paragraph (5) of Law no. 506/2004.

As such, the controller was fined for violating the provisions of Article 4 paragraph (5) letters a) and b) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector.

In this context, we specify that Article 4 paragraph (5) of the aforementioned legal act establishes the following:

“(5) The storage of information or obtaining access to information stored in the terminal equipment of a subscriber or user is permitted only if the following conditions are met cumulatively:

a) the subscriber or user concerned has expressed his/her consent;

b) the subscriber or user concerned has been provided, prior to expressing his/her consent, in accordance with the provisions of Article 12 of Law no. 677/2001, as subsequently amended and supplemented, with clear and complete information which:

(i) is presented in an easily understandable language and is easily accessible to the subscriber or user;

(ii) includes mentions of the purpose of processing the information stored by the subscriber or user or the information to which he/she has access.

If the provider allows third parties to store or access information stored in the subscriber’s or user’s terminal equipment, the information in accordance with points (i) and (ii) shall include the general purpose of the processing of such information by third parties and the manner in which the subscriber or user may use the settings of the internet browser application or other similar technologies to delete the stored information or to deny third parties access to such information.”

On the other hand, during the investigation it was also found that the controller Georgescu Călin did not inform the data subjects whose personal data were collected and processed through the contact form (surname, first name, e-mail, telephone number) available on his website, during the period 06.12.2024 - 03.04.2025, thus violating the provisions of Articles 12-14 of Regulation (EU) 2016/679.

As such, in relation to the criteria for individualizing sanctions provided for in Article 83 of Regulation (EU) 2016/679, the controller was fined.

Legal and Communication Department

A.N.S.P.D.C.P