GDPR & ANSPDCP: Concrete checklist for SMBs

GDPR enforcement in Romania (ANSPDCP) accelerated in 2024-2025: over €19M in fines, with median fine €25,000 hitting SMBs. Most violations cluster around four common mistakes. Fix them before a complaint arrives.

The 8-point pre-launch checklist

1. Cookie banner with separate ACCEPT and REJECT buttons (no dark pattern). Reject must be at least as visible as accept. Both must work without selecting categories first (double-click negligence is a common ANSPDCP citation).
2. Pre-banner cookie blocking — no analytics/marketing cookies set before user choice. Test in DevTools Application tab. Many CMS plugins fail here.
3. Privacy policy linked from banner. Article 13 transparency requires the policy be reachable from the consent moment, not buried.
4. Form consent: explicit, not pre-ticked. Article 7 of GDPR requires unambiguous opt-in. Pre-ticked checkboxes are explicitly invalid (CJEU Planet49 ruling).
5. Data retention schedule documented. For each data category (newsletter, audit, contact form), how long is it kept? When is it deleted? Where? Document this.
6. Subject Access Request (SAR) procedure. Article 15-22. Designate an email (e.g., dpo@yourdomain), document a 30-day response workflow, prepare data export templates.
7. DPA register (Article 30). Required if you process "regularly" or "high-risk" data, but pragmatic for any SaaS. Lists which categories of data, on what basis, how long, with whom shared.
8. Sub-processor list. Who handles your data downstream (hosting, email, analytics)? Disclose them in privacy policy with DPA links.

What changed in 2024-2026

ANSPDCP is now actively scanning Romanian websites for cookie banner violations using automated probes. The fact that "everyone does it" is no longer a defense. Auditope's compliance phase runs all 8 checks plus dark pattern detection on consent UIs.