April 16, 2026

European data protection authorities are publishing a concentrated run of enforcement decisions targeting Article 15 access request failures and regulatory non-cooperation — often in the same action. ANSPDCP, HDPA, and APD have each moved on DSR-related complaints in the past cycle, and the compounding penalty pattern seen in the Your Consulting SRL decision (covered yesterday) is now visible in two additional cases. For compliance teams, the operational question is whether their DSR workflows have any documented safeguard against both failure to respond and failure to cooperate with subsequent DPA inquiries.

ANSPDCP has fined Altex România approximately €8,000 following consumer complaints of unanswered access, rectification, and erasure requests. Critically, the fine was elevated by the retailer's failure to engage with ANSPDCP's own investigation, drawing liability under Article 83(5)(e) alongside the Article 58(1) supervisory access obligation. This is the same obstruction-plus-DSR-failure pattern ANSPDCP applied in the Your Consulting SRL decision and that HDPA applied in its recent Greek tutoring center case — suggesting a coordinated or at minimum convergent enforcement posture across southeastern EU DPAs. Practitioners should note that obstruction appears to function as a penalty multiplier independent of the underlying DSR violation's severity. Watch level: MONITOR (data controllers with consumer-facing DSR workflows, particularly retail and services sectors — no immediate enactment trigger, but pattern warrants internal DSR response audits)

HDPA's Decision 39/2025 fined a Greek private tutoring center €4,000 for refusing to provide a parent — acting on behalf of enrolled minor children — with copies of tax receipts and tuition-related personal data under Articles 12(3), 12(4), and 15(1) GDPR. The center also failed to cooperate with HDPA's investigation, triggering an additional Article 31 penalty. The education-sector context is notable: the data at issue was financial records, not behavioral or academic data, suggesting HDPA interprets Article 15 access rights broadly in parent-child contexts. This raises the practical question of how education providers define the scope of personal data subject to parental access requests. Watch level: MONITOR (education sector privacy and compliance leads, particularly those managing parental rights frameworks)

Utah's SB0296, covered yesterday as pending gubernatorial action, has no material change to report — still awaiting signature. Ed-tech vendors with Utah school contracts should continue preparation as previously flagged.

The Spanish AEPD's EXP202308705 decision involves a medium-impact enforcement matter, though the source record did not render usable detail. The AEPD has been active on consent and data transfer enforcement; practitioners tracking Spanish supervisory practice should consult the GDPRhub entry directly for case specifics as the record populates.