April 15, 2026

European data protection authorities are issuing a steady stream of enforcement decisions targeting access request failures and inadequate security controls — all at the lower end of the penalty scale, but collectively signaling that routine operational compliance remains a live enforcement priority. All five developments today are either EU enforcement actions or a single US state bill, and three of the EU decisions share a common thread: controllers compounding access request failures by obstructing DPA investigations.

Romania's ANSPDCP fined Your Consulting SRL approximately €3,000 following a data breach traced to a web application with deficient security architecture. The decision cites Articles 25(1) and 32(1)(a), (b), and (d) GDPR — covering both privacy-by-design obligations and specific technical controls including encryption, integrity mechanisms, and regular testing. The practical question for compliance teams is whether their web-facing applications have documented evidence of security testing and design review; ANSPDCP appears to require both. Watch level: MONITOR (data controllers operating web applications in Romania or the EU — decision is final but limited to Romanian enforcement context)

The Greek HDPA and Romanian ANSPDCP decisions covered in yesterday's briefing — the tutoring center fine and the Altex România penalty — have not materially advanced. Note, however, that the obstruction-plus-DSR-failure pattern seen in Altex is now replicated in the HDPA tutoring center decision: both involve controllers that first ignored data subject requests and then failed to cooperate with the investigating DPA, drawing separate penalty exposure under Article 31 GDPR. Practitioners advising mid-size controllers should flag that obstruction of supervisory access is not a theoretical aggravating factor — it is being applied consistently across jurisdictions. Watch level: MONITOR (privacy counsel and DPOs advising controllers on DSR workflows and DPA engagement protocols)

The Belgian APD decision covered yesterday — confirming that email reproduction satisfies GDPR Article 15 access obligations — similarly has not materially advanced. It warrants a brief restatement only because it pairs usefully with the Romanian and Greek access failures: Belgian supervisory practice accepts reproduction as a valid fulfillment modality, which may provide practical guidance for employers determining how to structure DSR responses without undertaking full data extraction exercises. The distinction matters operationally, particularly where email correspondence is the primary data asset at issue. Watch level: MONITOR (employment counsel and HR compliance teams managing workplace DSR responses)

Utah SB0296, transmitted to the Governor yesterday and covered in the prior briefing, remains pending executive action. No signature has been reported. The bill addresses student consent requirements and would impose implementation obligations on schools and ed-tech vendors operating in Utah if enacted. Monitor the Governor's desk; the window for executive action is the relevant next trigger.