Home » Comunicat_Presa_10.11.2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

10.11.2025

Sanction for infringing the GDPR

 

The National Supervisory Authority for Personal Data Processing, completed, in October 2025, an investigation at the controller Whitedecor SRL and found a violation of the provisions of Article 6 paragraph (1), Article 7, Article 12 paragraph (3), Article 15 and Article 17 of Regulation (EU) 2016/679.

As such, the controller was sanctioned:

  • with a fine of 5082 lei (equivalent to 1,000 euros) for violating the provisions of Article 6 paragraph (1) letter a), Article 7, Article 21 paragraph (3) of Regulation (EU) 2016/679;
  • with a fine of 5082 lei (equivalent to 1,000 euros), for violating Article 12 paragraph (3), Article 15, Article 17 and Article 21 of Regulation (EU) 2016/679.

The investigation was initiated following a complaint by a natural person claiming that the provisions of Regulation (EU) 2016/679, regarding the rights of data subjects and the consent obtained from them, had been violated.

During the investigation, the National Supervisory Authority for the Processing of Personal Data found that the controller, following a purchase, repeatedly sent the customer unsolicited commercial messages to his telephone number.

Thus, the controller did not prove the existence of the consent obtained from the data subject for the processing of his personal data for marketing purposes, thus violating the provisions of Article 6 paragraph (1) letter a), Article 7 and Article 21 paragraph (3) of Regulation (EU) 2016/679.

At the same time, it was found that the data subject requested confirmation as to whether or not his personal data were being processed by the controller. At the same time, the client requested, through his request, a copy of the processed data, based on the provisions of Article.15 of Regulation (EU) 2016/679.

The client also expressed his opposition to the processing of his data for direct marketing purposes and requested that his personal data be deleted from the entire database held by the controller.

During the investigation, it emerged that the controller had not provided evidence of the transmission of a response within the legal deadline of no more than one month to the request for the exercise of the rights of access, opposition and deletion by the data subject. Therefore, the provisions of Article 12 paragraph (3), Article 15, Article 17 and Article 21 of Regulation (EU) 679/2016 were violated.

At the same time, based on the provisions of Article 58 paragraph (2) letters c) and d) of Regulation (EU) 2016/679, the following corrective measures were also ordered against the controller:

  • to adopt internal procedures on how to handle requests submitted by data subjects pursuant to Articles 12-22 of Regulation (EU) 2016/679, complying in all cases with the applicable provisions on the analysis and handling of these requests without delay and the communication of responses to data subjects within the legal deadlines, as well as regular training of the controller’s staff in this regard;
  • to adopt internal procedures on how to process personal data of data subjects for direct marketing purposes, in order to transmit commercial messages by electronic means of communication only with the prior express and informed consent of the data subjects.

 

Legal and Communication Department

A.N.S.P.D.C.P