Data Diggers sanctioned by ANSPDCP: three GDPR fines and corrective measures for transparency failures and unlawful processing
Investigation background
The Romanian Data Protection Authority (ANSPDCP) concluded a major investigation triggered by notifications from two European supervisory authorities. The operator, Data Diggers Market Research SRL, was assessed for compliance with transparency obligations and the handling of data subject rights.
The investigation identified three significant GDPR violations, each affecting the rights and freedoms of data subjects.
GDPR Violations Identified
1. Violation of the right of access – Article 15 GDPR
The operator failed to provide complete information in response to data subject access requests.
Under Article 15, individuals have the right to know:
- what data is processed
- for what purpose
- who receives the data
- how long it is stored
- what rights they can exercise
Fine imposed: €5,000
2. Failure to provide mandatory information – Article 14 GDPR
At the first communication with data subjects, the operator did not provide essential information such as:
- identity of the controller
- purposes of processing
- legal basis
- data subject rights
- source of the data
Fine imposed: €2,000
3. Lack of a lawful basis for processing – Article 6 GDPR
The operator was unable to demonstrate a valid legal basis for processing personal data.
This is one of the most serious GDPR violations.
Fine imposed: €5,000
Total fines: €11,000
Corrective measure imposed
ANSPDCP ordered the operator to implement regular staff training on:
- handling data subject requests
- ensuring lawful processing
- applying internal procedures
- responding within legal deadlines
This indicates systemic compliance issues.
Why this case matters
The decision is a strong reminder for companies that:
- transparency is mandatory
- data subjects’ rights must be respected
- legal bases must be documented
- staff training is essential
Non‑compliance leads to financial penalties and reputational damage.