April 14, 2026

European supervisory authorities are producing a tight cluster of enforcement decisions this week, all centered on the same core obligation: responding to data subject requests and cooperating with regulators. Romania, Greece, and Belgium each published decisions in the past 24 hours that share a common pattern — controllers that failed on access rights, and in several cases made things worse by obstructing the DPA's own inquiry. The practical signal for compliance teams is that non-cooperation is being treated as a separate, compoundable violation, not just an aggravating factor.

Romania's ANSPDCP fined Altex România approximately €8,000 for failing to respond to access, rectification, and erasure requests — and then failing to cooperate with the authority's investigation. The dual-liability structure, citing both Article 83(5)(e) and Article 58(1) GDPR, suggests ANSPDCP is applying a consistent approach to obstruction. Note: this is a distinct Altex action from the ANSPDCP fine covered in yesterday's briefing, which involved a different enforcement basis. The practical question for organizations with Romanian operations is whether their DSR workflows include escalation protocols for regulatory inquiries, not just the original requests. Watch level: MONITOR (privacy and compliance teams with Romanian operations)

ANSPDCP also published a separate fine of approximately €3,000 against Your Consulting SRL, arising from unauthorized access to personal data through a web application with deficient security controls. The violations cited — Articles 25(1) and 32(1)(a), (b), and (d) — cover both design-stage failures and operational technical measures. This suggests ANSPDCP is reviewing security architecture, not just incident response. Organizations using web-based platforms to process personal data in Romania should treat this as a prompt to review encryption, integrity controls, and testing practices. Watch level: MONITOR (security and engineering teams, DPOs with Romanian data operations)

Greece's HDPA fined a private tutoring center €4,000 for refusing to respond to a parental access request covering tuition payment records for minor children, and for obstructing the HDPA's investigation under Article 31 GDPR. The education sector context is notable: two enforcement actions this week — this one and Utah's pending student consent legislation — both involve minors and institutional data holders. The HDPA decision reinforces that parental access rights to children's data in educational settings are being actively enforced, not just acknowledged in principle. Watch level: MONITOR (legal and compliance teams in education-sector organizations, EU)

Belgium's APD dismissed a complaint from an employee who argued his employer's email reproduction method for fulfilling an Article 15 access request was inadequate. The APD found that reproducing relevant emails satisfies Articles 15(1) and 15(3) — it does not require full-system extraction or a structured data export. This is a useful operational data point: Belgian supervisory practice appears to accept proportionate, readable reproduction as a compliant access modality. Practitioners managing workplace DSRs should note this as guidance on fulfillment format, not as a general GDPR standard, since other DPAs may differ. Watch level: MONITOR (employment lawyers, HR compliance teams, DPOs handling workplace DSRs)

Utah's SB0296, addressing consent requirements for students, has passed both chambers and been transmitted to the Governor. If signed, it would impose implementation obligations on schools and their vendors — likely including ed-tech providers, data processors, and potentially biometric or monitoring tools used in educational settings. The bill's substance warrants closer review once signed, given Utah's recent pattern of enacting student privacy measures with real compliance timelines. Watch level: PREPARE (ed-tech vendors, school district counsel, privacy teams with Utah K-12 exposure — pending Governor signature)