Home » Comunicat_Presa_12_11_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

12.11.2025

Sanction for infringing the GDPR

 

The National Supervisory Authority for Personal Data Processing, completed, in October 2025, an investigation at the controller Fan Courier Express S.R.L. and found a violation of the provisions of Article 12 paragraphs (2), (3) and (4) in relation to the provisions of Article 15 paragraphs (1) and (3) and Article 17 as well as of Article 5 paragraph (1) letters a), c) and e) and Article 6 paragraph (1) of Regulation (EU) 2016/679.

As such, the controller was sanctioned:

  • fine in the amount of 15,285 lei (equivalent to 3,000 euros) for violating Article 12 paragraphs (3) and (4), in relation to the provisions of Article 15 paragraphs (1) and (3) and Article 17 of Regulation (EU) 2016/679.
  • fine in the amount of 5,095 lei (equivalent to 1,000 euros) for violating the provisions of Article 5 paragraph (1) letters a), c) and e) and Article 6 paragraph (1) of Regulation (EU) 2016/679.

The investigation was initiated following a complaint from a petitioner, who reported a violation of Regulation (EU) 2016/679, as he did not receive a response from the controller Fan Curier Expres S.R.L. to the request by which he exercised his right of access and deletion.

During the inspection, it was found that the controller did not respond to the petitioner’s request and did not communicate a copy of his personal data, as requested.

At the same time, during the investigation, it was found that the controller processed personal data in violation of the provisions of Article 5 paragraph (1) letters a), c) and e), in relation to the provisions of Article 6 paragraph (1) of Regulation (EU) 2016/679, by associating a derogatory mention.

In this regard, in relation to the provisions of Article 4 paragraph (1) of Regulation (EU) 2016/679, the Court of Justice of the European Union, in Case C - 434/16, established that opinions and assessments about a person may be given as personal data, “if they relate to the performance, conduct or skills of an identifiable person”.

The controller was also ordered to take the following corrective measures:

  • to send a complete response to the request of the applicant, including by communicating a copy of his/her personal data, in a secure manner, by reporting to the provisions of Article 15 paragraphs (1), (3) and (4) of Regulation (EU) 2016/679;
  • to reassess the need to process certain information about the applicant;
  • to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, by adopting the necessary technical and organizational measures, including in terms of appropriate training of the staff designated for this purpose, so that the controller ensures compliance with the rights of the data subjects.

 

Legal and Communication Department

A.N.S.P.D.C.P