GDPR for email marketing in Romania
In short: for existing customers you can use soft opt-in under Law 506/2004; for everyone else you need explicit consent. Every commercial email needs a functional unsubscribe. Informational, not legal advice.
Updated: July 2026
How do I send email marketing legally in Romania?
You need explicit consent for new subscribers or soft opt-in for existing customers (Law 506/2004, similar products), plus a functional unsubscribe in every message. Without a basis the risk is real: Law 506/2004 sets fines of 5,000-100,000 lei, and the GDPR framework can reach millions of euro. Informational, not legal advice.
What the law says for email marketing in Romania
Email marketing in Romania is regulated on two levels: the GDPR (Regulation EU 2016/679) for processing personal data and Law 506/2004 for commercial email communications. Both apply together. You need a legal basis for the address and clear rules in every message. Informational, not legal advice.
The rules come from two acts that work in parallel. The GDPR governs how you process personal data, including the email address, and requires a legal basis, transparency and respect for the person's rights. Law 506/2004, which transposes the ePrivacy directive in Romania, deals specifically with commercial communications sent by email.
Article 12 of Law 506/2004 asks for three basic things: prior consent for commercial email, a clearly identified sender in every message and a free unsubscribe mechanism. On top of that, Law 365/2002 requires a commercial communication to be recognisable as such, not disguised as a personal message.
On the data side, the basis most often used for marketing is consent (Article 6(1)(a) of the GDPR), while for existing customers legitimate interest can also come into play, with a right to object. The authority that enforces these rules in Romania is ANSPDCP (dataprotection.ro).
Consent: how to get it right
For new subscribers you need explicit consent: a clear affirmative action, an unchecked box, and a notice about who you are and what the person will receive. For existing customers you can use soft opt-in on similar products. Pre-ticked boxes, silence or inaction are not valid consent.
Valid consent is freely given, specific, informed and unambiguous. In practice that means a box the person ticks themselves, not one that is already ticked, plus a short notice: who sends the emails, what kind of messages they will get and how to unsubscribe. Pre-ticked boxes and assumed agreement do not hold up.
The soft opt-in exception in Article 12(2) of Law 506/2004 lets you send without prior consent only if several conditions are met at the same time: you obtained the address in the context of a sale, you promote similar products or services of the same sender, you offered a clear and free way to object both at collection and in every message, and the person has not objected. It is not a loophole for bought lists or harvested addresses.
Whatever the basis, keep proof of consent: what the person agreed to, when and by which method (web form, API, documented import). If ANSPDCP or the data subject asks, you must be able to show this record.
Double opt-in: the second confirmation
Double opt-in means that, after someone subscribes, they receive a confirmation email with a link they have to click to activate the subscription. Only confirmed addresses actually enter the list.
It is not required by law, but it is the strongest practical proof of consent and it is recommended by ANSPDCP. It filters out typos, invalid addresses, bot signups and cases where someone enters another person's address.
It also has a direct commercial benefit: you only send to people who have confirmed they want the messages, so you get better deliverability and a cleaner sender reputation.
Unsubscribe: required in every email
Every commercial email needs a visible, functional unsubscribe link. It must be free and simple, without asking for a login or extra data beyond confirming the address. The one-click version, through the List-Unsubscribe header, is the best option.
Process unsubscribes promptly and add the address to a suppression list so it does not reappear at the next import. Continuing to send after someone has unsubscribed or asked to be deleted is the most common aggravating factor in Romanian fines.
Unsubscribe does not cover everything. The GDPR gives the person other rights too, including access to their data and erasure. Handle those requests quickly as well and keep them separate from a simple newsletter unsubscribe.
What you risk if you get it wrong
The risk has two layers. For breaking the consent rules, the GDPR provides fines of up to 20 million EUR or 4% of global annual turnover, whichever is higher. Law 506/2004 has its own administrative fines. Add to that the loss of deliverability and reputation. Informational, not legal advice.
There are two sanction regimes. For breaches tied to the legal basis and to consent, the GDPR sets a ceiling of up to 20 million EUR or 4% of worldwide annual turnover, whichever is higher (Article 83(5)). That is the maximum ceiling, not the typical fine. Law 506/2004 separately provides administrative fines for electronic communications.
In practice, the fines issued in Romania for unsolicited messages have been in the thousands of euro, as the cases already listed on this page show. ANSPDCP looks first at whether you had a valid basis and whether you kept sending after a request to stop.
Beyond the fine there is a quieter commercial cost: spam complaints damage your domain reputation, push you into the spam folder and can get your sending blocked. Often the loss of deliverability costs more than the fine. This text is informational and does not replace legal advice.
Checklist: how to stay compliant
Basis and proof. You collect explicit consent for new subscribers or use soft opt-in only for existing customers, on similar products. You keep proof of consent: what the person agreed to, when and by which method.
Every message in order. You have an identifiable sender, a subject line that does not mislead and a functional unsubscribe link in every email. You honour unsubscribes immediately and do not send again to those who left.
Hygiene and rights. You use double opt-in for proof, keep your lists clean, set up SPF, DKIM and DMARC for deliverability and answer access or erasure requests. Revisit this checklist regularly. It remains an orientation guide, not legal advice.
What you need to know
Who regulates
ANSPDCP (dataprotection.ro). It has issued real fines for unsolicited messages: English Home 5,000 EUR, Best Elan ~1,000 EUR (2024), Inteligo Media ~9,000 EUR.
Consent vs soft opt-in
Explicit consent (unchecked box) for new subscribers. For existing customers, soft opt-in under Law 506/2004 for similar products, with opt-out in every message.
Unsubscribe
Every commercial email needs a functional opt-out. Continuing after a deletion request is the number-one aggravating factor in Romanian fines.
The three legal bases
| Basis | When you use it | Key conditions |
|---|---|---|
| Consent | New subscribers | Unchecked box + clear notice |
| Legitimate interest | Existing customers | Absolute right to object to marketing |
| Soft opt-in | After a sale | Similar products + opt-out in every message |
How we configure it
Consent, double opt-in to prove agreement, clear unsubscribe and request handling. Double opt-in is not legally required, but it is the safest way to prove consent.
Frequently asked questions
How do I send a newsletter legally in Romania?
With explicit consent for new subscribers or soft opt-in for existing customers (Law 506/2004, similar products), and a functional unsubscribe in every message.
Can I send email marketing without consent?
Only via soft opt-in to existing customers, for similar products, with an unsubscribe option. Otherwise you need consent.
Do I need double opt-in?
Not legally required, but best practice to prove consent. We recommend it.
What fines do I risk?
Law 506/2004 provides 5,000-100,000 lei; the GDPR framework can reach millions of euro. Real Romanian fines for unsolicited messages have been in the thousands of euro.