GDPR and Email Marketing in Romania: A Practical Guide 2026

April 30, 2026

GDPR does not ban email marketing. It asks you to be fair with the people on your list: explicit consent, an unsubscribe that is easy to find in every email, an accessible privacy policy, correct handling of your data sources, and retention only for as long as you need. Follow these five and you are on the right side of the law.

What GDPR says in plain language

GDPR is a European law from 2018. For email marketing, what you need to remember is simple: you are allowed to send commercial emails if the person agrees to receive them.

Agree means two things: the person said yes explicitly (ticked a checkbox, filled in a form, confirmed through an email) and the person knows what they said yes to, meaning you told them clearly they would get marketing emails, not just updates.

In Romania, on top of GDPR there is also Law 506/2004, which is stricter on email and SMS marketing. In short: if you comply with GDPR properly, you are also fine under Romanian law.

The 5 practical rules

1. Correct consent, not pre-ticked. A separate checkbox, UNticked, with clear text. A pre-ticked box is not consent, it is an assumption. Combining acceptance of your Terms with marketing is also illegal.

2. An unsubscribe link in every email, easy to find. Visible, not hidden in a 6-pixel font, and it must work in a single click. Most email marketing fines in Romania are about this.

3. An accessible privacy policy. You explain what data you collect, why, who you share it with, how long you keep it and how someone can unsubscribe. A simple page in Romanian is enough.

4. Your data sources - Booking, check-in, online orders - you CAN use them, but with a separate offers checkbox. Without the tick, the email stays only for things tied to the booking. For old lists with no proof of consent, send a single re-permission email and keep only those who confirm.

5. How long you keep the data. Only as long as you need. Subscribers inactive for 12-18 months: delete or send re-engagement. You keep order data for as long as accounting law requires (10 years in Romania), but separate from the marketing list. Any deletion request, you handle within 30 days.

Mistakes that lead straight to a fine

Bought or scraped lists. Someone sells you 5,000 contacts guaranteed GDPR-checked for 200 EUR. Never. The legal responsibility is yours, not the seller's. The authority's first question is: do you have proof of consent? The answer someone else sold them to me is not a valid defence.

Messages after unsubscribe. In December 2024, ANSPDCP fined English Home SRL 5,000 EUR: a person asked several times to stop receiving messages, and the company kept sending (source: ANSPDCP statement, December 2024). When someone clicks unsubscribe, the exit is instant and complete.

Sending with no clear opt-out mechanism. In January 2026, ANSPDCP fined Money Seeds S.R.L. a total of about 3,000 EUR (5,000 lei plus 10,178 lei) for sending commercial messages without a simple opt-out mechanism (source: ANSPDCP statement, 8 January 2026). The unsubscribe link is a legal requirement, not a cosmetic detail.

What a good platform handles automatically

Part of this is handled behind you if the platform is well built. With a serious platform you get automatically: one-click unsubscribe in every email (the standard link required by Gmail and Yahoo since 2024), a consent log with a timestamp and source for each subscriber, and automatic suppression, meaning whoever unsubscribes drops instantly from all future campaigns.

You build compliance from the start, not added at the end. And what it already does, it does correctly.

Frequently asked questions

Can I email contacts from Booking? Yes, but only if at check-in or at direct booking you have a separate offers checkbox. For those who did not tick it, you only communicate things tied to their stay.

Do I need to ask for consent again for an old list? If you do not have proof of how you collected it, yes, recommended. A re-permission email, and you keep only those who confirm.

What is the risk if I do not comply? In Romania, ANSPDCP applies fines between 5,000 and 35,000 EUR in the usual email or SMS marketing cases. For small firms, the risk is less the fine itself and more the time lost on the investigation.

Do I need a DPO? For a small guesthouse or store, generally no. A DPO is mandatory only for special categories.

This article is informational and does not replace legal advice for complex cases.

Want us to put email marketing to work for you?

We run a free audit of your list and email flows. No strings attached, you get the concrete next steps for your business.