ANSPDCP (Romania) - Sanction against Tensa Art Design SA

From GDPRhub
Revision as of 13:51, 21 February 2023 by Fz (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Sanction against Tensa Art Design SA
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 21(3) GDPR
Type: Investigation
Outcome: Violation Found
Published: 01.02.2023
Fine: 1,000 EUR
Parties: Tensa Art Design SA
National Case Number/Name: Sanction against Tensa Art Design SA
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: carlafilip

The Romanian DPA fined a controller €1,000 for transmitting unsolicited communications after a data subject had used their right to object in violation of Article 21(3) GDPR.

English Summary


The concerned controller was an optician and merchant for glasses, sunglasses as well as contact lenses. As part of its business, the controller sent out commercial messages through its newsletter service.

The concerned data subject was one of the newsletter's recipients. Although its is not directly stated in the case, it is strongly suggested that the controller processed the data subject's data based on legitimate interest. The data subject objected to the processing, as foreseen by Article 21 GDPR, by clicking the unsubscribe button in the newsletter. Yet, the controller continued to send commercial communication to the data subject's email address in a frequent manner. Consequently, the data subject sent a complaint to the Romanian DPA, prompting the DPA to investigate the matter. The investigation confirmed the data subject's assertions.


The DPA held that the controller's conduct was a violation of the GDPR. Pursuant to Article 21 GDPR - the right to object - data subjects have the right to object to processing which is done based either the legal basis of Article 6(1)(e) GDPR - public interest - or the legal basis of Article 6(1)(f) GDPR - legitimate interest. Moreover, Article 21(3) GDPR specifically grants data subjects the right to object to processing for direct marketing purposes.

Considering the facts above, the DPA decided that the controller violated Article 21(3) GDPR by not respecting the data subject's objection. Based on its powers pursuant to Article 58(2)(i) GDPR, the DPA fined the controller €1,000 (RON 4,927.3). Moreover, based on Article 58(2)(d) GDPR, the DPA ordered the controller to take corrective measures to ensure that its processing of personal data respected the rights of data subject vested in them by the GDPR.


Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.


Penalty for GDPR violation

In January 2023, the National Supervisory Authority completed an investigation at the operator Tensa Art Design SA and found a violation of the provisions of art. 21 para. (3) of Regulation (EU) 2016/679.

As such, the operator was penalized with a fine of 4927.3 lei (equivalent to 1000 EURO).

The investigation was started as a result of a notification sent by a concerned person who complained that the operator Tensa Art Design SA constantly sends him unsolicited messages.

During the investigation carried out, it was found that the operator repeatedly sent unsolicited commercial messages to the person concerned via e-mail, although he had previously requested to unsubscribe from the newsletter service.

The National Supervisory Authority found that the operator Tensa Art Design SA did not comply with the legal provisions regarding the processing of personal data, as it did not take into account the request of the data subject, sent by e-mail, through which he exercised his right of opposition and through which he notified that he had unsubscribed many times from the newsletter, thus violating the provisions of art. 21 para. (3) of Regulation (EU) 2016/679.

At the same time, as part of the investigation, the operator was also given the corrective measure to take necessary measures regarding the modification of the existing procedures at the company level, so that the rights of the data subjects provided for by Regulation (EU) 2016/679 are respected in all cases .


Legal and Communication Department