The National Supervisory Authority for Personal Data Processing, finalised, in September 2025, an investigation at the controller CORAL TRAVEL & TOURISM SERVICES S.R.L. and found the infringement of the provisions of Article 4 paragraph (5) letter a) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector.

As such, the controller was sanctioned with a fine of 5,000 lei.

During the investigation initiated ex officio, it was found that the controller stored information, namely cookies that were not technically necessary for the operation of the website owned by it (https://www.coraltravel.ro/) without obtaining the user’s consent.

Thus, the controller was fined for violating the provisions of Article 4 paragraph (5) letter a) of Law 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, in relation to the provisions of Article 13 paragraph (1) letter i) of the same legal act.

The controller was also ordered to take the corrective measure of implementing a cookie consent mechanism on the owned website (www.coraltravel.ro), in the form of a clear and visible banner, allowing the user to express a real and informed choice, as well as configuring the system so that unnecessary cookies are not placed before obtaining valid consent.

Legal and Communication Department

A.N.S.P.D.C.P