Romania ANSPDCP

CJEU Rules Online Marketplaces Are GDPR Data Controllers

Romania's National Supervisory Authority for Personal Data Processing reported that the Court of Justice of the European Union ruled that online marketplace operators qualify as GDPR data controllers for personal data processed in connection with transaction operations. The ruling clarifies that platforms facilitating third-party sales cannot escape data controller obligations by characterising themselves as mere intermediaries or hosting providers.

Fine 15,000 Lei for Violation of Law 506/2004 (Cookies)

Romania's National Supervisory Authority for Personal Data Processing (ANSPDCP) issued a fine of 15,000 Lei against a controller for violating Law 506/2004, Romania's national transposition of the EU ePrivacy Directive, specifically concerning cookie usage requirements. The enforcement action was published on 11 September 2025 and represents an active penalty for non-compliance with electronic communications data protection obligations.

Roumasport Fined €10,000 for GDPR Breach

ANSPDCP imposed a €10,000 fine on Roumasport for a General Data Protection Regulation (GDPR) breach. The enforcement action reflects Romania's active enforcement of data protection rules. Organizations processing personal data should ensure compliance with GDPR requirements to avoid similar penalties.