https://gdprhub.eu/api.php?action=feedcontributions&user=DianaR&feedformat=atomGDPRhub - User contributions [en]2024-03-29T05:53:04ZUser contributionsMediaWiki 1.39.6https://gdprhub.eu/index.php?title=ICCJ_-_325/10_February_2022&diff=28376ICCJ - 325/10 February 20222022-10-03T20:59:08Z<p>DianaR: Created page with "{{COURTdecisionBOX |Jurisdiction=Romania |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=ICCJ |Court_Original_Name=Înalta Curte de Casație și Justiție |Co..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=ICCJ<br />
|Court_Original_Name=Înalta Curte de Casație și Justiție<br />
|Court_English_Name=The High Court of Cassation and Justice<br />
|Court_With_Country=ICCJ (Romania)<br />
<br />
|Case_Number_Name=325/10 February 2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=The High Court of Cassation and Justice of Romania<br />
|Original_Source_Link_1=http://www.scj.ro/1093/Detalii-jurisprudenta?customQuery%255B0%255D.Key=id&customQuery%255B0%255D.Value=192277#highlight=##%2520GDPR<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=<br />
|Date_Published=22.02.2022<br />
|Year=<br />
<br />
|GDPR_Article_1=Article 82 GDPR<br />
|GDPR_Article_Link_1=Article 82 GDPR<br />
|GDPR_Article_2=Article 85 GDPR<br />
|GDPR_Article_Link_2=Article 85 GDPR<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 7, Law 190/2018<br />
|National_Law_Link_1=https://legislatie.just.ro/Public/DetaliiDocument/203151<br />
|National_Law_Name_2=Artile 8 and 10, European Convention on Human Rights<br />
|National_Law_Link_2=https://www.echr.coe.int/documents/convention_eng.pdf<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_From_Body=Tribunal of Bihor<br />
|Appeal_From_Case_Number_Name=161/C 4.12.2020<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=Curtea de Apel Oradea<br />
|Appeal_To_Case_Number_Name=698 of 26.05.2021<br />
|Appeal_To_Status=Appealed - Confirmed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The supreme court in Romania confirmed two other national rulings holding that freedom of expression and the public interest override the individual rights of private life in the case of a publicly known person, when the data involved (name and image) are fairly neutral and have been previously made publically available. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A person in Romania sued two companies after they published an article about them, including their name and a picture from their father's funeral. The complainant argued that their data has been processed and made publically available without their consent, for defamation purposes, affecting their private and professional life. On the other side, the defendants argued that the complainant is a public person and the freedom of expression overrides the rights and freedoms of the complainant in this particular situation. <br />
The case was firstly filed with a local tribunal and then appealed two times. All three courts involved agreed on the same judgment. <br />
<br />
=== Holding ===<br />
The court(s) decided that the complainant was a public figure locally known, because of their professional activity and involvement in public projects (namely, the complainant owned, amongst others, the biggest and the oldest shopping centre in the area), and their public figure was previously confirmed by other national and international articles mentioning them. Having proven their public figure, and relaying on GDPR Article 85 and Article 7 of the national law 190/2018 implementing GDPR, the court(s) held that the public interests of the society, the freedom of expression and the journalist rights override the personal rights of the complainant. As such, the case was considered to be outside the scope of GDPR. <br />
<br />
Furthermore, the court highlighted that the picture of the complainant was neutral, did not affect the complainant's personal life unnecessarily and it was previously used in other press articles. Therefore, both the picture and the complainant's name were data which has been previously made publically available. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
Subject content: Civil law. Obligations. Civil liability<br />
<br />
Alphabetical index: journalist<br />
<br />
press article<br />
subject of public interest<br />
public person<br />
personal data<br />
<br />
<br />
Law no. 190/2018, art. 7<br />
<br />
<br />
<br />
According to EU Regulation no. 679/2016, no personal data (including the name and image of the person, according to art. 4 points 1 and 2) can be processed, i.e. brought to the public's attention, without the consent of their holder, but nevertheless, the European legislator established through the Regulation that the member states can adopt legislation at the national level that provides for such exceptions for the journalistic field.<br />
<br />
At the national level, the Romanian legislator adopted Law no. 190/2018, which regulated the matter of personal data protection, focusing on the issue of personal data processing by journalists in art. 7, according to which in order to ensure a balance between the right to the protection of personal data, freedom of expression and the right to information, processing for journalistic purposes or for the purpose of academic, artistic or literary expression can be carried out, if it concerns personal data which have been openly made public by the person concerned or which are closely related to the quality of public person of the person concerned or to the public nature of the facts in which he is involved.<br />
<br />
Thus, as the plaintiff has the capacity of a public person, which is important from the perspective of art. 7 of Law no. 190/2018 to analyze whether the act of using his name and image without his consent is illegal or not, from the perspective of the Regulation and how the facts presented in the incriminated article are circumscribed to a public subject of general interest, being closely related to the quality of the public person of the plaintiff, it was correctly found that the sanctions of the Regulation on the protection of natural persons with regard to the processing of personal data and on the free circulation of this data and its application law are not applicable.<br />
<br />
I.C.C.J., Civil Section I, decision no. 325 of February 10, 2022<br />
<br />
<br />
<br />
I. The circumstances of the case<br />
<br />
1. The object of the case<br />
<br />
Through the summons request, registered at the Bihor Court on 3.09.2020, the plaintiff A. requested the court, contrary to the defendants B. and SC C. SA, pursuant to art. 1349, art. 1357 et seq., art. 1373 et seq., art. 1381 et seq., art. 58, art. 71, art. 72, art. 73, art. 74, art. 77 and art. 252 et seq. Civil Code, art. 82 of EU Regulation no. 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR Regulation), the engagement of liability civil torts and obliging the defendant 1, jointly with the defendant 2, to pay moral damages, in the amount of 50,000 euros for the reparation of the non-pecuniary damage caused to the person A. through the use by the journalist B. of his name and image (photo ) in the content of an article belonging to the C. SA publication, without obtaining its prior consent.<br />
<br />
2. Judgment of the Bihor Court, Section I civil<br />
<br />
By sentence no. 161/C of 4.12.2020, the Bihor Court - Civil Section I rejected the action filed by the plaintiff A., in opposition to the defendants SC C. SA and B.; forced the plaintiff to pay the defendants the sum of 1190 lei, court costs.<br />
<br />
3. Decision of the Oradea Court of Appeal, Civil Section I<br />
<br />
By decision no. 698 of 26.05.2021, the Oradea Court of Appeal - Civil Section I rejected, as unfounded, the appeal declared by A., in contradiction with the defendants SC C. SA and B. against civil sentence no. 161/C/ 2020, pronounced by the Bihor Court and obliged the appellant A. to pay to the respondent SC C. SA the sum of 1785 lei, as court costs in the appeal.<br />
<br />
4. The appeal formulated in the case<br />
<br />
Against decision no. 698/2021, issued by the Oradea Court of Appeal - First Civil Section, plaintiff A declared an appeal.<br />
<br />
In the content of the appeal memorandum, based on the provisions of art. 483 et seq. of the Civil Code, the appellant claimed that the appeal court did not rule on the criticism regarding the non-analysis of one of the illegal facts complained of in the summons request, the reason being incidental of scrapping provided by art. 488 point.5 C.proc.civ., by reference to art.477 of the same normative act, in violation of the tantum devolutum quantum apellatum principle, the court of appeal not ruling on all the criticisms with which it was vested.<br />
<br />
Considers that the action concerned two illegal acts in connection with the use of the plaintiff's name and image in the article created/hosted by the two defendants, respectively defamation, through references to the person of the plaintiff/association of the plaintiff's person with alleged illegal acts and the use of the name and image without the plaintiff's consent.<br />
<br />
It shows that, regarding the illegal act of using the plaintiff's name and image for the purpose of defaming him, by affecting the person's dignity, both from a professional and personal point of view, of family life, by using an image of his person from a funeral, intimate, family event, the first court did not rule at all, lacking any analysis of the violation of the defendants' obligation to respect the non-patrimonial rights of the appellant. It mentions that the defamatory information claimed in the court's preliminary application referred to the association of the appellant with facts of alleged non-compliance with administrative acts in the field of construction or of alleged pressure on an authority to modify its issued administrative acts.<br />
<br />
He claims that the first court only analyzed the fact of using the appellant's name and image without his consent, and the criticism formulated in the grounds of appeal regarding this aspect was not analyzed in the appealed decision, the considerations of the decision exclusively referring to the application of EU Regulation no. 679/2016, without a analysis of the publication of defamatory information about the person of the appellant.<br />
<br />
It shows that the lack of any ruling by the court of appeal on these issues leads to the prejudice of the appellant's rights, both procedural and substantive, given that they do not receive any ruling.<br />
<br />
The appellant shows that there is a lack of concrete motivation regarding the criticism regarding his lack of acceptance for the use of the name and image.<br />
<br />
He claims that the decision is unmotivated in the aspect of not ruling on some criticisms regarding the wrong qualification as a public person, related to the incidence of the provisions of EU Regulation no. 679/2016. Considers that through the appeal he showed that, wrongly, the first court concluded that his person has the characteristics of a public person, with the consequence that the protection offered to the appellant regarding his private life and, in particular, the right to the image, is one restricted considering that until the date of publication of the article, the year 2020, the appellant was a person who had not made any public appearance for over 10 years; it cannot be considered that the notoriety enjoyed by his father is automatically transmitted to the appellant, and the quality of an entrepreneur is not equivalent to the notion of a public person. It states that these arguments were not taken into account by the court of appeal, and the qualification given by the court to the quality of a public person, in relation to these criteria, relates to the essence of establishing a licit or illicit public communication of the respondents-defendants, by the article referred to by action, since even the court accepts that a private person is entitled to have his right to the image protected, in the sense requested by the introductory action, respectively by the need to have requested his consent.<br />
<br />
It states that, under the aspect of the respondent's use of a photo from an intimate moment of the family, without the appellant's consent, the court is limited to affirming that it was also used in other articles, without mentioning where it was identified, without referring to the parts of the file and without offering any argumentation to support the given resolution.<br />
<br />
It is noted in the appealed decision that the mention of the appellant's name and photo in an article, regarding the activity of a company in which he has a share in the share capital, does not affect the appellant's private life, but the fact that the modality was also criticized is not analyzed at all in which reference was made to his person, in a manner that would induce the idea of an obscure activity of the appellant, personally, not through the companies where they have the capacity of associate and the local authorities.<br />
<br />
Subsumed to the ground of appeal provided by art. 488 paragraph 1 point 8 of the Civil Procedure Code, it criticizes the wrong inclusion in the legal norms of the factual aspects with which the court was vested, supporting the fulfillment, in the case, of the conditions of civil liability tortious. It shows that the interpretation given by the court of appeal to the provisions of art. 71 of the Civil Code, art. 8 and 10 of the ECHR and EU Regulation no. 679/2016 (GDPR) is wrong, contrary to the spirit and purpose of the rule.<br />
<br />
Considers that the provisions of art. 488 paragraph 1 point 6 of the Civil Procedure Code are also incidents. given that the wrong interpretation of the law is also based on a lack of analysis of the conditions of the rule that the court applies.<br />
<br />
It shows that the premise from which the appellate court started in resolving the appeal, that the appellant is a public person, is contrary to the meaning and interpretation of the provisions of art. 71 of the Civil Code, as well as of art. 8 and 10 of the ECHR. In this sense, he mentions that through the appealed decision, it was determined, with a determining role, that this quality of the appellant attracts the lack of responsibility of the defendants. The finding of the appeal court regarding the quality of the appellant as a public person is not based on a concrete analysis, the reference to the documents submitted before the first court, without a concrete reference to them, respectively the possible public appearances of the appellant, their topicality, their rhythmicity , the intentional exposure of the appellant publicly in another way, representing a lack of analysis regarding the quality of public person.<br />
<br />
Considers that he is not a public person, having no public appearances in the media and in the press, in general, the respondent C. SA knowing the fact that the appellant wishes to be a discreet person, away from the spotlight, in relation to any subject of his private life or professional. It states that the articles submitted by the respondents to the file, in an attempt to accredit the idea that the appellant is a public figure, mostly come from the respondent C. SA, and of all the press articles cited by the respondents, most refer to the activity and public appearances of his late father. It also shows that there is no element that leads to the idea that he is a public figure, an aspect resulting from the fact that there is no public event that the appellant intentionally attends and that has reached public knowledge, he does not hold accounts on the social media pages, he is not a politician, he does not hold any executive function in public or private entities, he does not hold the capacity of administrator/authorized person in the companies in which he holds shares, so that he is granted the capacity of a public person.<br />
<br />
He claims that the decision is also flawed due to the wrong interpretation and application of the legal limits regarding the use of the appellant's name, from the perspective of art. 71 of the Civil Code, as well as art. 8 and 10 of the ECHR, provisions according to which people benefit from protection with respect to life personal data and private personal attributes, including the person's identification attributes, such as name and image, dignity/reputation and privacy. It states that, in this case, the use of the appellant's name and image, illegal in itself, was also done in violation of the provisions and limits of the right of expression of persons active in the press/media field, by associating the appellant's name and image with alleged facts that exceed the limits legal, given that during the process neither the article in question, nor the respondents, failed to identify the appellant's personal involvement in them. It shows that the need to identify a direct link between the fact that is the subject of a press subject and a certain person is one of the requirements imposed on the proper exercise of the right to expression, provided for by art. 10 of the ECHR, but the appeal court did not identify any such element of connection between the personal life of the appellant and the facts reproduced in the journalistic article from which the litigation started, nor the criterion of the exercise by journalists, in good faith, of the right conferred by art. 10 of the ECHR.<br />
<br />
The appellant shows that the journalistic activity carried out by the respondents did not fall within the limits of art. 7 of Law no. 190/2018 on measures to implement EU Regulation no. 679/2016 (which was adopted in order to regulate the principle of fair balance between the right to private life and freedom of expression, especially in the field of the press), the court of appeal giving a wrong interpretation to this legal provision.<br />
<br />
He mentions that the appealed decision held that the insertion of the appellant's name and photo in the complained article complies with the legal requirements as it concerns the commercial activity of a company he manages. He claims that, from the documents in the file, it does not appear that the appellant manages the activity of the company D. SA, not being the administrator of this company, a context in which, by reference to the provisions of art. 7 of Law no. 190/2018, the publication of the appellant's name and image by the respondents it does not concern information that he has made public intentionally, it does not concern him as a public person, not being personal facts of the appellant, but of an entity with legal personality. It shows that the court of appeal wrongly considered the non-existence of an illegal act, this existing under the aspect of EU Regulation no. 679/2016, the damage resulting from the very violation of the norm by the respondents.<br />
<br />
5. Defenses formulated in the case<br />
<br />
The respondents SC C. SA and B. filed an objection, by which they requested the rejection of the appeal, as unfounded, arguing, in essence, that the appeal court's reasoning is rigorous and is in line with the High Court's jurisprudence, with reference to decision no. .1954/2014, as well as that it cannot be a question of an illegal act considering that the appellant was not violated, in concrete terms, of a subjective right, and the other essential conditions for incurring tortious civil liability were not developed or proven.<br />
<br />
It also shows that, if it were assumed that his right to private life had been violated, this injury must be balanced with the journalist's right to free expression, guaranteed by art. 10 of the ECHR, which, exercised in good faith, justifies the entire publicity approach and, in accordance with art. 1353 of the Civil Code, removes the potential illegal character of the defendants' conduct.<br />
<br />
II. The solution and considerations of the High Court of Cassation and Justice<br />
<br />
Examining the appealed decision, through the prism of the criticisms formulated, as well as referring to the documents and works of the file and the applicable legal provisions, the High Court finds that the appeal is unfounded, for the reasons set out below.<br />
<br />
A first reason for appeal is the fact that the court of appeal did not rule on the criticism regarding the non-analysis of one of the illegal facts complained of through the summons, the appellant considering that the reason for annulment provided for by art. 488 point.5 C.proc.civ., by reference to art.477 of the same normative act, in violation of the tantum devolutum quantum apellatum principle, the court of appeal not ruling on all the criticisms with which it was vested. It is claimed that the action concerned two illegal acts in relation to the use of the plaintiff's name and image in the article created/hosted by the two defendants, respectively defamation, through references to the person of the plaintiff/association of the plaintiff's person with alleged illegal acts and the use of the name and image without the plaintiff's consent .<br />
<br />
The Court of Appeal analyzed with priority the appellant's criticisms regarding the lack of reasons for the decision, finding that the sentence of the first instance is sufficiently reasoned, it properly considered the factual situation, based on the assessment of the probation administered, as well as the factual and legal reasons that the pronounced solution is founded, with the application of the corresponding legal provisions, the reason for appeal formulated regarding this aspect being assessed as unfounded.<br />
<br />
Under this aspect, the High Court of Cassation and Justice finds that, as it follows from the content of the summons, the subject of the action with which the court of first instance was vested, which remained unchanged throughout the trial before the first instance, is represented of the applicant's request for criminal civil liability for the use by the journalist B. of her name and image (photo) for defamatory purposes, in the content of an article belonging to the publication C. SA, without obtaining her prior consent.<br />
<br />
Although in the appeal it is claimed that, in reality, the plaintiff notified the court of two illegal acts, from the content of the summons it follows that the plaintiff expressly indicated as an illegal act the unauthorized use of his name and image. The fact that he added the phrase at a given moment with a defamatory purpose, the article being obviously written with the intention of putting in a bad light the company in which the plaintiff holds shares, represents another element of the illegal act, from the way of formulating the action not resulting in the fact that the plaintiff notified the court with the analysis of a distinct illegal act, on which it would not have ruled.<br />
<br />
From this perspective, the Court of Appeal correctly found that the first instance responded to the main arguments formulated by the plaintiff through the request for summons, the reasoning of the sentence clearly explaining the decision taken, not imposing an exhaustive response to all the arguments brought by the party, but a presentation of the fundamental arguments, those that are susceptible, through their content, to influence the decision, the requirements of art. 6 of the European Convention on Human Rights and art. 21 para. 3 of the Romanian Constitution regarding the right to a fair trial.<br />
<br />
The appellant also shows that there is no ruling by the court of appeal on the alleged illegal act of using the name and image of the plaintiff for the purpose of defaming him, by affecting the dignity of the person, both from a professional and personal point of view, of family life, by using an image of his person from a funeral, intimate, family event and by associating the appellant with facts of alleged non-compliance with administrative acts in the matter of construction or of alleged pressure on an authority to modify the administrative acts issued. He claims that the first court only analyzed the fact of using the appellant's name and image without his consent, and the criticism formulated in the grounds of appeal regarding this aspect was not analyzed in the appealed decision, the considerations of the decision exclusively referring to the application of EU Regulation no. 679/2016, without a analysis of the publication of defamatory information about the person of the appellant.<br />
<br />
Under this aspect, the High Court notes the fact that within the considerations of the contested decision, the appeal court analyzed the aspects with which the plaintiff understood to invest the first court and which were the object of the criticism in the appeal, respecting both the tantum devolutum quantum appellatum principle (that is, not devolves only what has been appealed), as well as the tantum devolutum quantum judicatum principle (that is, only what has been judged is devolved), respecting the provisions of art. 477 - 479 C.proc.civ., according to which the appeal court will verify, in the limits of the appeal request, the establishment of the factual situation and the application of the law by the first instance. Reasons of public order can be invoked ex officio, so the provisions of art. 488 para. 1 point 5 C.civ.proc.<br />
<br />
As a preliminary matter, the factual situation held by the previous court, which cannot be the subject of judicial control of legality in the way of appeal, was stated in the preamble of the contested considerations, being that in the newspaper Y from June 29 to July 5 of was published the article "The new restaurant built by the company D. in the zero zone of X, on the bank (...), does not respect the project that won the competition of the mayor's office! D. makes the law!", and on 30.06.2020, the same article also appeared on the publication's website under the title "D. makes the law! The new restaurant in the center, built on the shore (...), does not comply with the project which the City Hall promised (...)". The article contains the photograph of the plaintiff, the architect, the mayor and the deputy mayor.<br />
<br />
Although the plaintiff claims that his claim was analyzed only in terms of the defendant's use of his name and photograph, without his prior consent, and that the appealed decision does not analyze at all the use of the plaintiff's name and image for the purpose of defaming and affecting his dignity through the manner in which reference was made to his person, in a manner that induces the idea of an obscure, personal activity, it can be observed that, specifically, on pages 13, 14, 15 of the appealed decision, the elements of the act imputed to the defendants in the request for summons, by referring both to the provisions of the Regulation, especially of art. 85 regarding processing and freedom of expression and information, in conjunction with art. 7 of Law no. 190/2018 implementing the Regulation, as well as through the lens of the legal bases of tortious civil liability, as well as of art. 8 and 10 of the Convention for the Protection of Human Rights and Fundamental Freedoms.<br />
<br />
Analyzing the concrete circumstances of the case, the appellate court assessed that the appellant's rights to private life, dignity, reputation or honor or self-image were not violated (page 14 paragraph 4). Also, after the theoretical analysis of the legal grounds with which it was referred and by reference to the documents and works of the file, the court showed that in this case, the subject of the analyzed article is, without a doubt, one of public interest, referring to the controversial way in which the company owned by the appellant-complainant, D., built a large restaurant, on a plot of land in the center of municipality X, following a partnership concluded with the local public authority, the name of the complainant being mentioned and his photo being published. The incriminated article did not report any details regarding the personal life of the appellant-plaintiff, but exclusively his capacity as the owner of the company D.S.A., an aspect, moreover, undisputed, so that it was correctly found that in the case the exceptional situations within the meaning of art. . 10 of the Convention and art. 30 of the Romanian Constitution, which protects freedom of expression in cases where the journalist acts in good faith for the purpose of correct and judicious information, regarding subjects of general interest.<br />
<br />
As such, the appellant's request for the application of the reason for annulment provided for by art. 488 para. 1 point 6 C.proc.civ., in the sense that the court of appeal would not have examined the grounds of appeal from the perspective of the elements that characterize the deed complained of, defamation and damage to his dignity, but, as previously shown, it analyzed, in essence, the aspects with which it was vested, but assessed that the expression of the journalist concerned a subject of general interest and retaining his good faith, in the conditions in which no evidence to the contrary was presented in the case, assessed that the exercise of the journalist's right to free expression within the limits allowed by law cannot constitute a civil offense, and requiring him to pay compensation, in the concrete circumstances of the case, would represent an unjustified interference in the exercise of the right to free expression, disproportionate to the legitimate purpose pursued and which cannot be considered "necessary in a democratic society".<br />
<br />
The appellant also claims that there is no concrete justification for the criticism regarding the appellant's lack of acceptance for the use of his name and image.<br />
<br />
The Court noted on page 15 paragraphs 6-7, that as regards the published photo, it is a neutral one, which does not contain elements likely to bring any impact on private life, of small dimensions, which was previously used in other articles as well of the same publication, as well as in the international press, and the mention of the name of the appellant-complainant and the insertion of a photo of him, already public, in the content of a press article regarding the commercial company he leads, with reference to aspects of public interest related to the projects of the municipality, cannot be considered as affecting his right to private life, dignity or self-image, falling within the limits of freedom of expression, in the sense of art. 10 par.1 of the Convention.<br />
<br />
As such, the claims according to which there is no justification regarding these aspects and that the appeal court did not examine and did not give a reasoned answer to all the factual and legal issues in the case brought to trial, are not confirmed, the appealed decision presenting, in essence, the reasons taken into account when pronouncing the adopted solution.<br />
<br />
Since the solution given by the court of appeal to the legal issues brought to trial is fully and coherently supported by considerations that do not contradict themselves and that lead to the solution in the device, the High Court notes that the provisions of art. 488 para. 1 point 6 C.civ.proc. nor with regard to these grounds of appeal.<br />
<br />
It is also argued in the appeal that the decision is unmotivated in terms of not pronouncing on some criticisms regarding the wrong classification of the plaintiff as a public person, related to the incidence of the provisions of EU Regulation no. 679/2016, such as the fact that until the date of publication of the article, year 2020, the appellant was a person who had not made any public appearance for over 10 years and that it cannot be considered that the notoriety enjoyed by his father is automatically transmitted to the appellant, and the quality of an entrepreneur does not equate to the notion of a person public. It is shown that, in terms of the respondent's use of a photograph from an intimate moment of the family, without the appellant's consent, the court is limited to affirming that it was also used in other articles, without mentioning where it was identified, without referring to the parts of the file and without offering any argumentation to support the given resolution.<br />
<br />
Regarding this aspect, the Court of Appeal showed on page 15, paragraphs 4-5 that it was proved in the case, with the documents submitted to the first instance file, the quality of the appellant-plaintiff as a public person, being an important businessman, which owns and manages, among other things, the largest and oldest mall in X., the company it patronizes being involved in various public projects, so that the limits of admissible criticism are wider than in the case of individuals, which determines, correlatively, a reduced protection of it. The notoriety of the appellant-complainant was also confirmed by his multiple appearances in the national and international mass media, a fact proven by the documents submitted to the first instance file.<br />
<br />
It is noted that the appeals court referred to the evidence that convinced it that the plaintiff can be classified as a public figure, not necessarily from the perspective of his public appearances, the notoriety of his deceased father or strictly from the quality of an entrepreneur, but from the activity his professional career, which also meant involvement in various public projects.<br />
<br />
The reasoning of a decision must be understood as a logical syllogism, capable of intelligibly explaining the decision taken, which does not mean an exhaustive answer to all the arguments brought by the party, but an answer to the fundamental ones, which are susceptible, through their content, to influence the solution .<br />
<br />
The removal of a defense contrary to the retained factual situation does not imply the rejection of each individual argument, if it does not correspond to the retained situation. Also, in judicial practice, including from the perspective of ECtHR judgments, it has been consistently shown that, in the economy of considerations, the court does not need to respond precisely to each argument, as they can be grouped according to the thesis to which they subscribe for to have developed unique reasoning.<br />
<br />
Or, from the verification of the grounds of the contested decision, it follows that the appellate court judiciously motivated the solution pronounced by removing the arguments of the plaintiff appellant, it cannot be reproached for not responding concretely to some reasons for appeal, which is why the criticisms regarding the incidence of the provisions of art. 488 para. 1 point 6 C.civ.proc.<br />
<br />
On the other hand, the appellant tries a reinterpretation of the evidence in order to retain a different factual situation than the one that the previous court has already established, aspects of groundlessness that cannot be analyzed in the way of appeal, way of appeal extraordinary which can only concern the grounds of illegality strictly and limitedly provided by art. 488 Civil Procedure Code.<br />
<br />
Subsumed under the ground of appeal provided by art. 488 paragraph 1 point 8 of the Civil Procedure Code, the appellant criticizes the wrong classification in the legal norms of the factual aspects with which the court was vested, supporting the fulfillment, in the case, of the conditions of liability civil torts. It shows that the interpretation given by the court of appeal to the provisions of art. 71 of the Civil Code, art. 8 and 10 of the ECHR and EU Regulation no. 679/2016 (GDPR) is wrong and is based on a lack of analysis of the conditions of the norm which the court applies.<br />
<br />
The Court of Appeal, interpreting the provisions of the Regulation, especially those of art. 85 regarding processing and freedom of expression and information, in conjunction with art. 7 of Law no. 190/2018 implementing the Regulation, found that the first court correctly held that, in this case, the conflict between the plaintiff's right to respect for private life, a right enshrined in art. 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms, and the journalist's freedom of expression guaranteed by art. 10 of the Convention, but analyzing the concrete circumstances of the case, assessed that the rights to private life, dignity, reputation or honor or self-image of the applicant were not violated, as the articles under analysis pursue one of the legitimate goals shown by the text of the Convention , and their subject is one of public interest.<br />
<br />
The appellant's criticisms in the sense that there was a wrong interpretation and application of the provisions of art. 7 of Law no. 190/2018 and that the plaintiffs' action to publish, respectively to associate his name and image with circumstances not directly related to his person, represents a violation of the provisions of EU Regulation no. 679/2016, in particular the provisions of art. 6 para. (1) lit. a) from it, are unfounded, for the reasons that will be presented next.<br />
<br />
The High Court notes that, it is true that according to EU Regulation no. 679/2016, no personal data (including the name and image of the person, according to art. 4 points 1 and 2) can be processed, i.e. brought to the public's attention, without the consent of their holder, but nevertheless, the European legislator established through the Regulation that the member states can adopt legislation at the national level that provides for such exceptions for the journalistic field.<br />
<br />
This happened at the national level, the Romanian legislator adopting Law no. 190/2018 on measures to implement Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and its repeal of Directive 95/46/CE (General Data Protection Regulation) through which it regulated the matter of personal data protection, focusing on the issue of personal data processing by journalists in art. 7 of the previously mentioned normative act.<br />
<br />
According to art. 7 of Law no. 190/2018, in order to ensure a balance between the right to the protection of personal data, freedom of expression and the right to information, processing for journalistic purposes or for the purpose of academic, artistic or literary expression can be carried out, if it concerns personal data which have been openly made public by the person concerned or which are closely related to the quality of public person of the person concerned or to the public nature of the facts in which he is involved.<br />
<br />
In accordance with the factual situation held by the previous court in the sense that it established the quality of the appellant-plaintiff as a public person, he being an important businessman, who owns and manages, among other things, the largest and oldest mall in X, the company he patronizes being involved in various public projects and that the article in question refers to the controversial way in which the company owned by the appellant-complainant, D., built a large restaurant, on a plot of land in the center of municipality X, following a partnership concluded with the local public authority, the High Court considers that the defendants were in the derogatory situation provided for by the provisions cited above, which were correctly interpreted in this way by the previous courts, since the facts presented were of a public nature, of general interest, being closely related to the public person quality of the person concerned.<br />
<br />
The appellate court distinctly concluded that the subject of the article is one of public interest, but also that the plaintiff has the capacity of a public person, which is important from the perspective of art. 7 of Law no. 190/2018 in order to analyze whether or not the act of using the name and image of the plaintiff without his consent is illegal, from the perspective of the GDPR Regulation, but also to analyze whether or not the right balance between the right to private life enshrined in art. 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms and the journalist's freedom of expression guaranteed by art. 10 of the Convention.<br />
<br />
The appellant, although citing the provisions of art. 7 of Law no. 190/2018, omits to notice that the derogation from the rules for the protection of personal data is provided not only in the situation where they have been made public in a manifest manner by the data subject, but also when the facts described are of a public nature and are closely related to the quality of public person of the person concerned, aspects already retained by the court of appeal as a result of the interpretation of the evidence administered in the case.<br />
<br />
As such, the previous courts correctly found that the sanctions of the Regulation on the protection of natural persons are not applicable with regard to the processing of personal data<br />
<br />
personal and regarding the free circulation of this data and of the law applying it.<br />
<br />
The appellant considers that the reasoning of the court of appeal is wrong in the sense that the insertion of his name and photo in the article is in accordance with the legal requirements as it concerns the commercial activity of a company that he "leads", because in reality, the documents of the file do not result in any way the fact that the plaintiff "leads", in general, the activity of the company D.S.A., nor that, in relation to the business analyzed by the respondents in the relevant article, he would have been directly involved, not being an administrator of this company, and the premise from which the court of appeal started in the resolution of the appeal, the fact that the appellant is a public person (without a concrete analysis of the documents submitted before the first instance, of the appellant's possible public appearances, their current nature, their rhythmicity, the appellant's intentional exposure in publicly in another way), is contrary to the meaning and interpretation of the provisions of art. 71 of the Civil Code, as well as of art. 8 and 10 of the ECHR.<br />
<br />
Or, with these claims, in reality, one tends to retain a different factual situation (that the holding of shares does not equate to the management activity of a company) than the one already established, in the sense of the plaintiff's involvement in the management activity of the company in question and which can no longer be interfered with on the occasion of judicial control. The appeals court does not have the competence to censure the factual situation established by the challenged decision and to reevaluate the evidence for this purpose, but only to verify the legality of the decision by referring to the factual situation that has already been established, because the way in which the courts of substantively, they interpreted the administered evidence and established on their basis that a certain factual situation does not constitute grounds for appeal in the regulation of art. 488 Civil Procedure Code.<br />
<br />
A reinterpretation of the evidence administered in the case is no longer possible in the way of appeal, as previously shown, so that the High Court of Cassation and Justice can no longer reanalyze the documents submitted to the file, as requested by the appellant, in order to change the data regarding the factual situation, as it was held by the previous courts.<br />
<br />
Another ground of appeal concerned the wrong interpretation and application of art. 71 of the Civil Code, as well as art. 8 and 10 of the European Convention on Human Rights.<br />
<br />
Analyzing the provisions invoked regarding freedom of expression, it is found that according to art. 10 para. 1 thesis I of the European Convention on Human Rights, "every person has the right to freedom of expression. This right includes freedom of opinion and freedom to receive or communicate information or ideas without the interference of public authorities and regardless of borders".<br />
<br />
As such, freedom of expression is the essential foundation of a democratic society and one of the primary conditions for everyone's progress and fulfillment, but it does not constitute absolute freedom, but the exercise of this freedom is subject to restrictions and limitations.<br />
<br />
In this sense, art. 30 paragraph (6) of the Romanian Constitution provides that freedom of expression cannot prejudice the dignity, honor, private life of the person nor the right to one's own image, and art. 57 of the Constitution states that citizens must exercise their constitutional rights and freedoms in good faith, without violating the rights and freedoms of citizens.<br />
<br />
The ECHR jurisprudence ruled, for its part, that the right to free expression is not an absolute one, this conclusion being in accordance with the provisions of art. 10 para. (2) of the Convention, according to which the exercise of these freedoms that entail duties and responsibilities may be subject to formalities, conditions, restrictions or sanctions provided by law which, in a democratic society, constitute necessary measures for national security, territorial integrity or public safety , defense of order and crime prevention, protection of health, morals, reputation or rights of others, to prevent the disclosure of confidential information or to guarantee the authority and impartiality of the judiciary.<br />
<br />
On the other hand, art. 8 of the ECHR guarantees every person the right to respect his private and family life. Therefore, the two rights provided by the convention are not absolute, but limit each other, in the sense that the right to private life ends where the right to free expression begins, and the right to free expression ends where the right to private life begins, so that each of the two rights guaranteed by the convention must be exercised with respect for the other.<br />
<br />
At the same time, it should be mentioned that, as far as freedom of expression is concerned, art. 70 C.civ. provides that any person has the right to free expression, the exercise of this right cannot be restricted except in the cases and limits provided for in art. 75, and the right to private life is regulated by art. 71 Civil Code, according to which every person has the right to respect his private life; no one can be subjected to any interference in his intimate, personal or family life, nor in his domicile, residence or correspondence, without his consent or without observing the limits provided for in art. 75.<br />
<br />
From the perspective of these theoretical notions, the appellate court argued in detail why it considers that the defendants' statements do not fall within the scope of the illegal and do not exceed the limits of acceptable criticism.<br />
<br />
Thus, the Court of Appeal considered that forcing the defendants to pay moral damages for the publication of the articles in question represents an interference with their right to free expression guaranteed by art. 10 of the Convention, in this sense the ECHR ruling in the Cumpănă si Mazăre v. Romania case, the Cârstea si Grecu v. Romania case, the Morar v. Romania case, the Barb v. Romania case, and such a limitation on the right to free expression is contrary to the Convention if it does not fulfill three cumulative conditions, namely: to be provided by law, to pursue at least one of the legitimate purposes provided by paragraph 2 of art. 10 of the Convention and be necessary in a democratic society to achieve that goal.<br />
<br />
In this case, the High Court considers that the previous court correctly assessed that informing the public about the real estate project of the company in which the plaintiff is involved represents a subject of general interest for the community of X, and regarding this aspect the ECHR expressed since 1992, arguing in the case of Thorgeirson v. Iceland that "art. 10 defends not only the statements included in a proper political debate, but also the discussion of any topics that interest the public opinion in general or a segment of it".<br />
<br />
Even if the plaintiff was not a public figure, it should be noted that, through the published articles, the defendant did not provide aspects of the plaintiff's private life, but submitted to debate the way in which citizens and the public budget are affected by this real estate project, and for these reasons, the Court rightly held that the aspects brought to the attention of public opinion by the defendant are of general interest and are limited to the role of the press in a democratic society.<br />
<br />
Detailing the reason for appeal based on the provisions of art. 488 para. 1 point 8 Civil Procedure Code, the appellant claims that, in this case, the use of his name and image was also made in violation of the provisions and limits of the right of expression of persons active in the field of press/media, by associating the name and image the appellant with alleged facts that exceed the legal limits, given that during the trial neither the article in question, nor the respondents, failed to identify the appellant's personal involvement in them, nor the connection between the appellant's personal life and the facts reproduced in the journalistic article where the dispute started.<br />
<br />
As such, it is noted that the fact that the related circumstances lacked sufficient factual basis is invoked, from the perspective of the involvement of the plaintiff as a natural person, which, in principle, would lead to a violation of the provisions of art.10 §2 ECHR.<br />
<br />
Under this aspect, it is important to mention that the ECtHR established an important distinction between the affirmation of facts and that of value judgments, and according to the Court, the existence of facts can be demonstrated, while the truth of value judgments is not susceptible to be proven.<br />
<br />
Or, precisely making this distinction between the category of value judgments in which the expression of one person's opinion on the professional, moral and personal qualities of another falls, and that of factual statements that express accusations of having committed certain acts, the European Court pointed out explicitly that to the extent that a person expresses value judgments, he cannot be required to prove the truth of what is stated, such an obligation being impossible and preventing people from asserting their opinion about others. (cases of Jerusalem v. Austria; Brasilier v. France).<br />
<br />
Regarding the factual situation held by the previous court with reference to the person of the plaintiff, it was shown by the appeal court that the article states: "Two months later, the City Hall awarded the contract to company D., patronized by AA. Jr. (photo), at the price of 230 lei/sqm/year, i.e. 59,800 lei annually. There were two more offers at the auction, but only from a formal point of view, because they came from companies also controlled by A..: F. and G. The architect claims that D. requested from the very beginning that the restaurant be on two levels, something that could only be done by giving up the surface promenade. "I pushed as hard as I could to preserve the original concept. But if I continued to say that I would not make compromises, the investment would no longer be made at all. I alone could not determine an investor", he says, confirming that the City Hall did not oppose the wish to A."<br />
<br />
Analyzing the censored text, the Court of Appeal considered that the incriminated article did not report any details regarding the personal life of the appellant-complainant, but exclusively his capacity as the owner of the company D.S.A., an aspect, moreover, undisputed.<br />
<br />
The appellant tries to bring additional arguments that were not formulated previously, in order to expand the procedural framework with which he vested the substantive courts, which is not admissible from the perspective of the character of the extraordinary appeal, only for reasons of illegality of the appeal.<br />
<br />
Moreover, a reinterpretation of the administered evidence, in order to draw the conclusion of the existence of certain statements within the complained of articles regarding the appellant's personal involvement in the facts reproduced in the journalistic article, is not possible in this appeal, so that the appellant's criticisms will be removed under this aspect.<br />
<br />
In addition, regarding the statements regarding his professional activity, with involvement in the activity of SC D.S.A., it can be observed that the defendants acted in good faith in the journalistic approach and that the facts related by them were not without sufficient factual basis, referring to the data regarding the conduct of the auction in question, but also to the statements of the chief architect of the City Hall, so that their attitude, analyzed globally, demonstrates that they acted in good faith and that their statements had a sufficient factual basis and are registered in the dose of acceptable exaggeration and provocation, as defined by the ECtHR in the Barb v. Romania case.<br />
<br />
The claims listed in the articles in question represent aspects of public information regarding which the real source of the information had to be held and presented to the public, the so-called proof of truth, which does not automatically mean the proof of the imputed facts stricto sensu, (which belongs to the competent bodies - courts, criminal investigation bodies, etc. and not the press) but the existence of the appearance of a factual basis that justifiably created the need for the press to bring to the attention of public opinion the aspects of general interest under discussion.<br />
<br />
However, the real source of the information was identified within the articles in question, namely documents regarding the data related to the auction and the statements of the chief architect of the X City Hall.<br />
<br />
The court of appeal notes that the jurisprudence of the European Court of Human Rights - the judgment pronounced in the Bladet Tromso and Stensaas v. Norway case, ruled that documents from state institutions should represent sources that "the press should normally, when contributing to the political debate on topics of general interest, to rely on their content, without undertaking independent checks".<br />
<br />
Against the considerations shown above, it should be noted that in this case the defendants' approach was correctly considered legitimate by the previous courts and enjoys the protection of art. 10 of the Convention, the balance between the plaintiff's right to private life, protected by art. 8 of the Convention, and the defendants' right to free expression, enshrined in art. 10 of the Convention, so that the appellant's criticisms falling under the provisions of art. 488 para. 1 point 8 C.civ.proc.<br />
<br />
For all these reasons, the appeals court, noting that none of the grounds for appeal formulated by the appellant are founded, based on the provisions of art. 496 paragraph 1 of the Civil Procedure Code, rejected the appeal declared by the plaintiff A. against decision no. 698/2021, pronounced by the Oradea Court of Appeal - Civil Section I.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Bitfactor_SRL&diff=28258ANSPDCP (Romania) - Fine against Bitfactor SRL2022-09-26T19:20:29Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Bitfactor SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_22_09_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=22.09.2022<br />
|Year=<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 25(1) GDPR<br />
|GDPR_Article_Link_1=Article 25 GDPR#1<br />
|GDPR_Article_2=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#1b<br />
|GDPR_Article_3=Article 32(1)(d) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#1d<br />
|GDPR_Article_4=Article 32(2) GDPR<br />
|GDPR_Article_Link_4=Article 32 GDPR#2<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Bitfactor SRL<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller approximately EUR 2,000 over the lack of adequate technical and organisational measures that would protect personal data both at rest and in transit, which led to a data breach affecting 1757 data subjects. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data controller had a data breach due to technical malfunctions of its service used for marketing communications, affecting the personal data of 2757 data subjects (users of the controller's website). <br />
<br />
The controller notified the incident to the Romanian Authority. <br />
<br />
=== Holding ===<br />
Following the notification, the Romanian DPA started an investigation of the controller and identified a lack of adequate technical and organisational measures that will ensure personal data is protected both in transit and at rest. As a result, the controller was found in breach of GDPR Articles 25(1), 32(1)b, d and 32(2) and was fined approximately EUR 2,000 (RON 9,852.8).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
22.09.2022<br />
<br />
A new penalty for breaching GDPR<br />
<br />
<br />
<br />
In August 2022, the National Supervisory Authority completed an investigation at the Bitfactor SRL operator and found a violation of the provisions of art. 25 para. (1) and art. 32 para. (1) and para. (2) of the General Data Protection Regulation.<br />
<br />
The operator Bitfactor SRL was fined 9,852.8 lei (the equivalent of 2000 EURO) for contravention.<br />
<br />
The investigation was started as a result of the transmission by the operator of a notification of a breach of the security of personal data under the General Data Protection Regulation.<br />
<br />
The data breach occurred as a result of the malfunctioning of an application of the operator that sent marketing communications to users of its website, which led to a breach of the privacy of the personal data of a number of 1757 data subjects, users of the website of the operator.<br />
<br />
During the investigation, it was found that the operator did not implement adequate technical and organizational measures, which would continuously protect the personal data of the persons concerned, both at the time of establishing the means of processing, and at the time of the processing itself, intended to put in effectively apply the principles of data protection and integrate the necessary guarantees within the processing, although, according to art. 5 lit. f) from the General Data Protection Regulation, the operator had the obligation to respect the principle of integrity and confidentiality.<br />
<br />
In this context, we emphasize that art. 25 para. (1) of the General Regulation on Data Protection, states that "the operator, both at the time of establishing the means of processing, and at the time of the processing itself, implements appropriate technical and organizational measures, such as pseudonymization, which are intended to effectively implement data protection principles, such as data minimization, and integrate the necessary safeguards into the processing, to meet the requirements of this regulation and protect the rights of data subjects."<br />
<br />
Also, recital (78) of the General Data Protection Regulation establishes that "the operator should adopt internal policies and implement measures that respect in particular the principle of data protection from the moment of conception and that of implicit data protection."<br />
<br />
As such, the operator Bitfactor SRL was fined 9,852.8 lei (the equivalent of 2000 EURO) for violating the provisions of art. 25 para. (1) and art. 32 para. (1) lit. b), d) and para. (2) of the General Data Protection Regulation.<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Curtea_Veche_Publishing_SRL&diff=28257ANSPDCP (Romania) - Fine against Curtea Veche Publishing SRL2022-09-26T18:51:10Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Curtea Veche Publishing SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_21_09_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=21.09.2022<br />
|Year=<br />
|Fine=5000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=Article 32(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#1c<br />
|GDPR_Article_3=Article 32(2) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#2<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Curtea Veche Publishing SRL<br />
|Party_Link_1=https://www.curteaveche.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a publisher EUR 5,000 over the lack of adequate technical and organisational measures which led to 2 data breaches that affected a total number of approximately 10839 data subjects. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A Romanian publisher had a data breach that allowed one of its client databases to be made publicly available on an online forum. The database included the name, phone number, email address, encrypted passwords and IP addresses corresponding to 10.739 data subjects that were the publisher's clients between 2019-2021. <br />
<br />
The same publisher had a second data breach that occurred due to a ransomware attak. The incident granted unauthorised access to some personal data belonging to approximately 100 data subjects (the publisher's employees and partners). <br />
<br />
Following the two data breaches, the publisher notified the Romanian Authority.<br />
<br />
=== Holding ===<br />
After the notification, the Romanian DPA started an investigation of the publisher and found that the publisher did not implement adequate technical and organisational measures appropriate to the risk of processing, in breach of GDPR Artcile 32(1)b, c and 32(2). The publisher was therefore fined approximately EUR 5,000 (RON 24,566). Additionally, the Authority applied the coercive measure of requiring the publisher to review and update its technical and organisational measures, and to include supplementary information security measures over the personal data processed.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
21.09.2022<br />
<br />
Penalty for GDPR violation<br />
<br />
<br />
<br />
In August 2022, the National Supervisory Authority completed an investigation at the operator Curtea Veche Publishing SRL and found a violation of the provisions of art. 32 para. (1) lit. b) and c) and para. (2) of the General Data Protection Regulation.<br />
<br />
The operator was penalized for contravention with a fine of 24,566 lei (equivalent to 5000 EURO).<br />
<br />
The investigation was started as a result of the transmission by the operator of some notifications of personal data security violations under the General Data Protection Regulation.<br />
<br />
One of the data security breaches occurred as a result of the posting on a public forum of a file containing the operator's customer database from 2019 to 2021.<br />
<br />
This situation led to the unauthorized disclosure of certain personal data, such as name, surname, telephone number, e-mail, password in encrypted form, IP address from which the user account was created, of a number of 10739 customers of the operator.<br />
<br />
The second data security breach occurred as a result of a ransomware attack, which led to unauthorized access and loss of integrity and availability of certain personal data of approx. 100 data subjects (employees and collaborators of Curtea Veche Publishing SRL).<br />
<br />
During the investigation, the National Supervisory Authority found that the operator did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk for the rights and freedoms of natural persons.<br />
<br />
As such, the operator Curtea Veche Publishing SRL was fined 24,566 lei (the equivalent of 5000 EURO) for violating the provisions of art. 32 para. (1) lit. b) and c) and para. (2) of the General Data Protection Regulation.<br />
<br />
At the same time, the operator was also given the corrective measure to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals and the work procedures related to the protection of personal data, including through the implementation of additional IT solutions data security.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Sephora_Cosmetics_Rom%C3%A2nia_SA&diff=27722ANSPDCP (Romania) - Fine against Sephora Cosmetics România SA2022-08-23T14:53:32Z<p>DianaR: : typo corrected</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Sephora Cosmetics România SA<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_04_08_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=04.08.2022<br />
|Year=<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 21 GDPR<br />
|GDPR_Article_Link_1=Article 21 GDPR<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Sephora Cosmetics România SA<br />
|Party_Link_1=https://www.sephora.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
Sephora Romania was fined EUR 2,000 for sending marketing communications via SMS after several objection requests have been submitted. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Sephora Romania did not take into consideration the objection requests submitted by a data subject against marketing communications send via SMS. As a result, the data subject received several marketing SMS after the objection request and filed a complaint with the Romanian DPA. <br />
<br />
=== Holding ===<br />
The DPA found that Sephora Romania continued to send several unsolicited marketing communications via SMS after multiple objection requests of the same data subject, in breach of [[Article 21 GDPR|Article 21 GDPR]] and fined it approximately EUR 2,000. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
08/04/2022<br />
<br />
<br />
<br />
Fine for GDPR violation<br />
<br />
<br />
<br />
In July 2022, the National Supervisory Authority completed an investigation at the operator Sephora Cosmetics Romania SA and found a violation of the provisions of art. 21 of the General Data Protection Regulation.<br />
<br />
The operator of Sephora Cosmetics Romania SA was fined 9,883.60 lei (the equivalent of 2000 EURO).<br />
<br />
The investigation was started as a result of receiving a complaint from a petitioner claiming that she had received commercial SMS messages on her phone number from Sephora Cosmetics Romania SA. At the same time, she claimed that following her repeated requests, submitted at the end of 2020, that her data would no longer be used for marketing purposes, Sephora informed her at the beginning of 2021 that her data would no longer be processed for marketing purposes. marketing. However, later, during 2021, the petitioner received unsolicited commercial SMS messages from Sephora Cosmetics Romania SA.<br />
<br />
During the investigation carried out, it was found that Sephora Cosmetics Romania SA sent the petitioner, on her phone number, on several occasions, during 2021, commercial messages for marketing purposes, although she, through the requests sent to the operator in 2020, had exercised the right of opposition regarding the use of his own telephone number for marketing purposes.<br />
<br />
As such, Sephora Cosmetics Romania SA was sanctioned for violating the provisions of art. 21 of the General Data Protection Regulation, which guarantees the data subject the right to object at any time, for reasons related to the particular situation in which he is, to the processing of personal data concerning him.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_SC_Wabag_Water_Services_SRL&diff=27721ANSPDCP (Romania) - Fine against SC Wabag Water Services SRL2022-08-23T14:52:42Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against SC Wabag Water Services SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_09.08.2022&lang=ro%09<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=09.08.2022<br />
|Year=<br />
|Fine=1000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(2) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#2<br />
|GDPR_Article_3=Article 6 GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller EUR 1,000 after it processed it's employees personal data unlawfully aiming to register and make an appoint on their behalf for a COVID-19 vaccination. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data controller (SC Wabag Water Services SRL) registered and made an appointment on the COVID-19 vaccination website without on behalf of its employees without their consent. Consequently, one of the affected data subjects (and the controller's employee) filed a complaint with the Romanian DPA. <br />
<br />
=== Holding ===<br />
The Romanian DPA found that the controller unlawfully processed the data of its employees in order to register and schedule an appoint on their behalf on the COVID-19 vaccination platform. The controller did not obtain a valid consent and did not prove to subject of a different situation that does not require consent for processing the concerned personal data. As such, the controller was found in breach of GDPR Article 5(1)a, 5(2) and 6 and fined approximately EUR 1,000.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
In June 2022, the National Supervisory Authority completed an investigation at the operator SC Wabag Water Services SRL and found a violation of the provisions of art. 5 para. (1) lit. a) and para. (2) and of art. 6 of the General Data Protection Regulation.<br />
<br />
The operator SC Wabag Water Services SRL was fined 4,945.40 lei (the equivalent of 1000 EURO).<br />
<br />
The investigation was started as a result of receiving complaints from a petitioner claiming that her personal data was used by her own employer (SC Wabag Water Services SRL), without her consent, in order to register and program her on the national platform of vaccination for carrying out the vaccine against Covid-19.<br />
<br />
During the investigation, it was noted that the operator SC Wabag Water Services SRL used the personal data of the petitioner (employee of the operator) for the purpose of registering and scheduling her on the national scheduling platform for vaccination against Covid-19, in the year 2021, without doing proof of the existence of the petitioner's consent and without the existence of another situation in which consent is not necessary, thus violating the provisions of art. 5 para. (1) lit. a) and para. (2) and of art. 6 of Regulation (EU) 2016/679.<br />
<br />
In this context, we emphasize that art. 5 of Regulation (EU) 2016/679 establishes a series of principles that must be respected in the context of data processing. Among them is the one regarding the processing of data in a legal, fair and transparent manner towards the data subject ("legality, fairness and transparency"), this being provided for in art. 5 para. (1) lit. a) from the regulation.<br />
<br />
At the same time, art. 5 para. (2) of Regulation (EU) 2016/679 provides that the operator is responsible for compliance with the processing principles and can demonstrate this compliance (principle of responsibility).<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Sephora_Cosmetics_Rom%C3%A2nia_SA&diff=27719ANSPDCP (Romania) - Fine against Sephora Cosmetics România SA2022-08-23T14:51:12Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Sephora Cosmetics România SA<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_04_08_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=04.08.2022<br />
|Year=<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 21 GDPR<br />
|GDPR_Article_Link_1=Article 21 GDPR<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Sephora Cosmetics România SA<br />
|Party_Link_1=https://www.sephora.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
Sephora Romania was fined EUR 2,000 for sending marketing communications via SMS after several objection requests have been submited. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Sephora Romania did not take into consideration the objection requests sumbited by a data subject against marketing comunications send via SMS. As a result, the data subject receved several marketing SMS after the objection request and filed a complaint with the Romanian DPA. <br />
<br />
=== Holding ===<br />
The DPA found that Sephora Romania continued to send several unsolicited marketing communications via SMS after multiple objection requests of the same data subject, in breach of [[Article 21 GDPR|Article 21 GDPR]] and fined it approximately EUR 2,000. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
08/04/2022<br />
<br />
<br />
<br />
Fine for GDPR violation<br />
<br />
<br />
<br />
In July 2022, the National Supervisory Authority completed an investigation at the operator Sephora Cosmetics Romania SA and found a violation of the provisions of art. 21 of the General Data Protection Regulation.<br />
<br />
The operator of Sephora Cosmetics Romania SA was fined 9,883.60 lei (the equivalent of 2000 EURO).<br />
<br />
The investigation was started as a result of receiving a complaint from a petitioner claiming that she had received commercial SMS messages on her phone number from Sephora Cosmetics Romania SA. At the same time, she claimed that following her repeated requests, submitted at the end of 2020, that her data would no longer be used for marketing purposes, Sephora informed her at the beginning of 2021 that her data would no longer be processed for marketing purposes. marketing. However, later, during 2021, the petitioner received unsolicited commercial SMS messages from Sephora Cosmetics Romania SA.<br />
<br />
During the investigation carried out, it was found that Sephora Cosmetics Romania SA sent the petitioner, on her phone number, on several occasions, during 2021, commercial messages for marketing purposes, although she, through the requests sent to the operator in 2020, had exercised the right of opposition regarding the use of his own telephone number for marketing purposes.<br />
<br />
As such, Sephora Cosmetics Romania SA was sanctioned for violating the provisions of art. 21 of the General Data Protection Regulation, which guarantees the data subject the right to object at any time, for reasons related to the particular situation in which he is, to the processing of personal data concerning him.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Denmar_Nacrut_SRL&diff=27706ANSPDCP (Romania) - Fine against Denmar Nacrut SRL2022-08-23T09:12:00Z<p>DianaR: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Denmar Nacrut SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_09.08.2022_2&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=2500<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1b<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1a<br />
|GDPR_Article_4=Article 5(2) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#2<br />
|GDPR_Article_5=Article 6 GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR<br />
|GDPR_Article_6=Article 12 GDPR<br />
|GDPR_Article_Link_6=Article 12 GDPR<br />
|GDPR_Article_7=Article 13 GDPR<br />
|GDPR_Article_Link_7=Article 13 GDPR<br />
|GDPR_Article_8=<br />
|GDPR_Article_Link_8=<br />
|GDPR_Article_9=<br />
|GDPR_Article_Link_9=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Denmar Nacrut SRL<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a beauty salon EUR 2,500 after it was found in breach of Articles 5(1)a,b,c, 5(2), 12 and 13 due to the unlawful processing of personal data through surveillance cameras. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After a complaint filed by a data subject about the excessive surveillance systems installed, the Romanian DPA started an investigation against a beauty salon (Denmar Nacrut SRL). During the investigation, the DPA found that the controller had installed CCTV cameras inside and outside its beauty salon, surveilling both its clients and its employees without clearly informing the data subjects and without a sufficient legitimate interest that would override the interests of the data subject. <br />
<br />
=== Holding ===<br />
The DPA held that the data processed through the video surveillance systems were not limited to what was necessary to reach the desired purpose. Additionally, the DPA held that the data subject were not clearly informed about this processing according to the requirements of Article 12 and 13. <br />
<br />
As a result, the controller was fined:<br />
<br />
* approximately EUR 1000 for breaching Articles 12-13<br />
* approximately EUR 1500 for breaching Articles 5(1)a,b,c and 5(2).<br />
<br />
Additionally, going further, the controller is required to: <br />
<br />
* properly inform the data subjects according to the requirements of Articles 12-13; <br />
* stop the video surveillance when there is no legal ground to do so; <br />
* implement the necessary technical and organisational measures to lawfully manage the video surveillance; <br />
* to restrict the remote and continuous access to the video captions, and only allow accessing those captions in special cases such as incidents. <br />
<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
08/09/2022<br />
<br />
Penalty for GDPR violation<br />
<br />
<br />
<br />
In July 2022, the National Supervisory Authority completed an investigation at the operator Denmar Nacrut SRL and found a violation of the provisions of art. 12, art. 13, as well as art. 5 para. (1) lit. a), b) and c), related to art. 5 para. (2) and art. 6 of the General Data Protection Regulation.<br />
<br />
As such, the operator was penalized as a contravention, as follows:<br />
<br />
fine in the amount of 4,945.10 lei (the equivalent of 1000 EURO), for violating the provisions of art. 12-13 of the General Data Protection Regulation; fine in the amount of 7,417.65 lei (the equivalent of 1500 EURO), for violating the provisions of art. 5 para. (1) lit. a), b) and c), related to art. 5 para. (2) and art. 6 of the General Data Protection Regulation.<br />
<br />
At the same time, under art. 58 para. (2) lit. d) from the General Data Protection Regulation, the following corrective measures were ordered against the operator:<br />
<br />
ensuring the information of the concerned persons through the communication in a concise, transparent, intelligible and easily accessible form of all the information provided by art. 13 of the General Data Protection Regulation and under the conditions of transparency referred to in art. 12 of the same regulation; eliminating the use of the video surveillance camera installed at the cosmetic room level for which there is no express legal basis for processing the personal data of its customers and employees according to art. 6 of the General Data Protection Regulation; ensuring compliance with the General Data Protection Regulation of personal data processing operations, by implementing appropriate technical and organizational measures and establishing appropriate rules related to the management of images captured by surveillance cameras; prohibiting remote access via the Internet to images and recordings, as well as accessing images and recordings only in the event of incidents related to the purpose of installing these surveillance cameras.<br />
<br />
The investigation was started as a result of a report through which a natural person signaled the fact that the targeted persons, clients of SC Denmar Nacrut SRL, were being monitored by video during the provision of cosmetic services.<br />
<br />
During the investigation, it was found that Denmar Nacrut SRL has a video surveillance system installed both inside and outside the space where the operator operates, which monitors both employees and customers.<br />
<br />
It was also noted that the operator did not prove that it had provided clear, complete and correct information to its employees and the persons concerned whose personal data (ie the image) is processed through video surveillance cameras, by communicating all the information provided by art. 13 of the General Data Protection Regulation and under the transparency conditions of art. 12 of the same regulation.<br />
<br />
At the same time, it turned out that Denmar Nacrut SRL did not prove any previously existing incidents that would justify its legitimate interest that prevailed over the interests or fundamental rights and freedoms of the persons concerned. Thus, it was found that the operator excessively processed the data (images) of its customers and employees, through the video camera installed in the premises where cosmetic treatments were performed. The data thus processed were not adequate, relevant and limited to what is necessary in relation to the purposes for which they were processed ("data minimization"). The operator's stated purpose could be achieved by means less intrusive to the privacy of its customers and employees.<br />
<br />
As such, the violation of the provisions of art. 5 para. (1) lit. a), b) and c) of the General Data Protection Regulation related to the conditions regarding the legality of the processing established by art. 6 of the same regulation.<br />
<br />
In addition, the operator could not demonstrate compliance with the principles of processing according to art. 5 para. (2) of the General Data Protection Regulation.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Denmar_Nacrut_SRL&diff=27705ANSPDCP (Romania) - Fine against Denmar Nacrut SRL2022-08-23T09:09:37Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Denmar Nacrut SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_09.08.2022_2&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=2500<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1b<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1a<br />
|GDPR_Article_4=Article 5(2) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#2<br />
|GDPR_Article_5=Article 6 GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR<br />
|GDPR_Article_6=Article 12 GDPR<br />
|GDPR_Article_Link_6=Article 12 GDPR<br />
|GDPR_Article_7=Article 13 GDPR<br />
|GDPR_Article_Link_7=Article 13 GDPR<br />
|GDPR_Article_8=<br />
|GDPR_Article_Link_8=<br />
|GDPR_Article_9=<br />
|GDPR_Article_Link_9=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Denmar Nacrut SRL<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a beauty salon EUR 2,500 after it was found in breach of Articles 5(1)a,b,c, 5(2), 12 and 13 due to the unlawful processing of personal data through surveillance cameras. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After a complaint filed by a data subject about the excessive surveillance systems installed, the Romanian DPA started an investigation against a beauty salon (Denmar Nacrut SRL). During the investiagtion, the DPA found that the controller had installed CCTV cameras inside and outside its beauty salon, surveilling both its clients and its employees without clearly informing the data subjects and without a sufficient legitimate interest that would override the interests of the data subject. <br />
<br />
=== Holding ===<br />
The DPA held that the data processed through the video surveillance systems were not limited to what was necessary to reach the desired purpose. Additionally, the DPA held that the data subject were not clearly informed about this processing according to the requirements of Article 12 and 13. <br />
<br />
As a result, the controller was fined:<br />
- approximately EUR 1000 for breaching Articles 12-13<br />
- approximately EUR 1500 for breaching Articles 5(1)a,b,c and 5(2).<br />
<br />
Additionally, going further, the controller is required to:<br />
- properly inform the data subjects according to the requirements of Articles 12-13;<br />
- stop the video surveillance when there is no legal ground to do so;<br />
- implement the necessary technical and organisational measures to lawfully manage the video surveillance; <br />
- to restrict the remote and continuous access to the video captions, and only allow accessing those captions in special cases such as incidents. <br />
<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
08/09/2022<br />
<br />
Penalty for GDPR violation<br />
<br />
<br />
<br />
In July 2022, the National Supervisory Authority completed an investigation at the operator Denmar Nacrut SRL and found a violation of the provisions of art. 12, art. 13, as well as art. 5 para. (1) lit. a), b) and c), related to art. 5 para. (2) and art. 6 of the General Data Protection Regulation.<br />
<br />
As such, the operator was penalized as a contravention, as follows:<br />
<br />
fine in the amount of 4,945.10 lei (the equivalent of 1000 EURO), for violating the provisions of art. 12-13 of the General Data Protection Regulation; fine in the amount of 7,417.65 lei (the equivalent of 1500 EURO), for violating the provisions of art. 5 para. (1) lit. a), b) and c), related to art. 5 para. (2) and art. 6 of the General Data Protection Regulation.<br />
<br />
At the same time, under art. 58 para. (2) lit. d) from the General Data Protection Regulation, the following corrective measures were ordered against the operator:<br />
<br />
ensuring the information of the concerned persons through the communication in a concise, transparent, intelligible and easily accessible form of all the information provided by art. 13 of the General Data Protection Regulation and under the conditions of transparency referred to in art. 12 of the same regulation; eliminating the use of the video surveillance camera installed at the cosmetic room level for which there is no express legal basis for processing the personal data of its customers and employees according to art. 6 of the General Data Protection Regulation; ensuring compliance with the General Data Protection Regulation of personal data processing operations, by implementing appropriate technical and organizational measures and establishing appropriate rules related to the management of images captured by surveillance cameras; prohibiting remote access via the Internet to images and recordings, as well as accessing images and recordings only in the event of incidents related to the purpose of installing these surveillance cameras.<br />
<br />
The investigation was started as a result of a report through which a natural person signaled the fact that the targeted persons, clients of SC Denmar Nacrut SRL, were being monitored by video during the provision of cosmetic services.<br />
<br />
During the investigation, it was found that Denmar Nacrut SRL has a video surveillance system installed both inside and outside the space where the operator operates, which monitors both employees and customers.<br />
<br />
It was also noted that the operator did not prove that it had provided clear, complete and correct information to its employees and the persons concerned whose personal data (ie the image) is processed through video surveillance cameras, by communicating all the information provided by art. 13 of the General Data Protection Regulation and under the transparency conditions of art. 12 of the same regulation.<br />
<br />
At the same time, it turned out that Denmar Nacrut SRL did not prove any previously existing incidents that would justify its legitimate interest that prevailed over the interests or fundamental rights and freedoms of the persons concerned. Thus, it was found that the operator excessively processed the data (images) of its customers and employees, through the video camera installed in the premises where cosmetic treatments were performed. The data thus processed were not adequate, relevant and limited to what is necessary in relation to the purposes for which they were processed ("data minimization"). The operator's stated purpose could be achieved by means less intrusive to the privacy of its customers and employees.<br />
<br />
As such, the violation of the provisions of art. 5 para. (1) lit. a), b) and c) of the General Data Protection Regulation related to the conditions regarding the legality of the processing established by art. 6 of the same regulation.<br />
<br />
In addition, the operator could not demonstrate compliance with the principles of processing according to art. 5 para. (2) of the General Data Protection Regulation.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_CDI_Transport&diff=27703ANSPDCP (Romania) - Fine against CDI Transport2022-08-23T08:45:01Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against CDI Transport<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_09.08.2022_1&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=09.08.2022<br />
|Year=<br />
|Fine=7000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 12(1) GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR#1<br />
|GDPR_Article_2=Article 58(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#1a<br />
|GDPR_Article_3=Article 58(1)(e) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#1e<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=CDI Transport Intern și Internațional SRL<br />
|Party_Link_1=https://www.cditransport.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a transportation company EUR 7,000 due to its lack of collaboration during an investigation. Additionally, the company was sanctioned with a warning after being found in breach of Article 12 for not fulfillying the transparency requirements. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Following a complaint filed by a data subject, the Romanian DPA started an investigation against a passenger transport company (CDI Transport). The data subject complained that the controller's website did not include all the necessary information required in a privacy notice to fulfil the transparency requirements. <br />
<br />
During the investigation, the company did not answer the DPA's request within the legal deadline. <br />
<br />
=== Holding ===<br />
The DPA held that the controller did not clearly inform the data subjects visiting its website regarding the personal data collected and it didn't publish the relevant information required by GDPR Article 12-22, including the purpose of processing personal data, the legal basis, the controller's contact details, the retention period, and the possibility of exercising data subject rights. As a result, the controller was found in breach of GDPR Article 12(1) and sanctioned with a warning. Additionally, the controller was applied a corrective measure and required to inform the data subjects with all the infromation required by Article 12 in a clear and transparent manner. <br />
<br />
On a different stream, the controller was fined EUR 7,000 for not answering the DPA's request during the investigation. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
08/09/2022<br />
<br />
Penalty for GDPR violation<br />
<br />
<br />
<br />
In June 2022, the National Supervisory Authority completed an investigation at the operator CDI Transport Intern si Internazionale SRL and found a violation of the provisions of art. 58 para. (1) lit. a) and e) and art. 12 para. (1) of the General Data Protection Regulation.<br />
<br />
As such, the operator was penalized:<br />
<br />
with a fine of 34,630.40 lei, (the equivalent of 7000 EURO), for violating the provisions of art. 58 para. (1) lit. a) and e) of the General Data Protection Regulation; with a warning, for violating the provisions of art. 12 para. (1) of the General Data Protection Regulation.<br />
<br />
The investigation was started as a result of a notification that it was reported that on the company's website there is no information on the method of collecting personal data, regarding the rights provided for in art. 15-22 of the General Regulation on the Protection of the Data that the data subjects benefit from, regarding the manner of exercising these rights, nor regarding the fact that the operator has the obligation to inform the data subjects in the event of a breach of the security of personal data.<br />
<br />
During the investigation carried out, as a result of the fact that the operator did not provide the information requested by our institution, within the legal term, a violation of the provisions of art. 58 para. (1) lit. (a) and (e) of the General Data Protection Regulation.<br />
<br />
At the same time, it was noted that the operator CDI Transport Intern si Internaționale SRL did not provide clear, complete and correct information of the data subjects whose personal data is processed by the company as it did not provide all the information provided by the provisions of art. 12-22 of the General Data Protection Regulation, such as those relating to the purpose of processing and the legal basis, the identity and contact details of the operator, the period for which the data will be stored or the criteria used to establish this period, the conditions for exercising rights. As such, the violation of the provisions of art. 12 para. (1) of the General Data Protection Regulation<br />
<br />
At the same time, the operator was also ordered to take the corrective measure of ensuring the information of the persons concerned by communicating in a concise, transparent, intelligible and easily accessible form all the information provided by art. 12 of the General Data Protection Regulation.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_S.C._Delivery_Solutions_S.A._(Sameday)&diff=27086ANSPDCP (Romania) - Fine against S.C. Delivery Solutions S.A. (Sameday)2022-07-17T17:10:13Z<p>DianaR: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against S.C. Delivery Solutions S.A. (Sameday)<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_11_07_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=11.07.2022<br />
|Year=<br />
|Fine=3000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 29 GDPR<br />
|GDPR_Article_Link_1=Article 29 GDPR<br />
|GDPR_Article_2=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#1b<br />
|GDPR_Article_3=Article 32(2) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#2<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=S.C. Delivery Solutions S.A.<br />
|Party_Link_1=https://sameday.ro/?lang=en<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a processor approximately €3.000 after it did not implement necessary technical and organisational measures which led to a database containing the personal data of 26.566 individuals being made available online for sale. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
S.C. Delivery Solutions S.A., or Sameday - as it is commonly known in Romania, is a courier company and the data processor for two controllers. As a processor, Sameday is required to implement the necessary technical and organisational measures to ensure the security of the personal data processed on behalf of the controllers. However, the database used by Sameday and containing the personal data of 26.566 customers (name of the recipient, contact details, address of the recipient, parcel details, delivery status etc.) was found for sale online on a website which is later seized by FBI, Europol and other European national police agencies.<br />
<br />
=== Holding ===<br />
After a data subject found the database available for sale online, it reported it to the Romanian DPA, which started an investigation against the processor. During the investigation, the DPA discovered that the processor did not adopt the necessary technical and organisational measures to ensure the security of the personal data, and therefore, the data concerning 26.566 individuals was available online for sale. As result, the controller was found in breach of GDPR Article 29, 32(1)b, and 32(2) and fined approximately €3.000 (RON 14.825,70).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
11.07.2022<br />
<br />
Sanction for violating the RGPD<br />
<br />
<br />
<br />
In June, the National Supervisory Authority completed an investigation at S.C. Delivery Solutions S.A. (Sameday) and found a violation of the provisions of art. 29, art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation.<br />
<br />
SC Delivery Solutions S.A. (Sameday) was sanctioned with a fine of 14,825.70 lei (equivalent to 3,000 EURO).<br />
<br />
The investigation was initiated as a result of complaints filed by a natural person who reported that the database of S.C. Delivery Solutions S.A. (Sameday) is for sale on the website https://raidforums.com/Thread-SELLING-=ae-SAMEDAY-RO-Romanian-Postal-Service.<br />
<br />
In the investigation, it was noted that S.C. Delivery Solutions S.A. (Sameday) is the person authorized by two companies for the processing of personal data, being obliged to take all necessary measures to systematically protect the processing of personal data of individuals, as provided in art. 28 para. (3) lit. c) of the RGPD, including against disclosure and / or unauthorized access to data.<br />
<br />
It was also found that personal data belonging to a number of 26566 individuals concerned (number and date AWB - transport document that accompanies the shipment of any package, courier codes, sender name, name and surname of the recipient, telephone number, address , delivery status, type of service, package weight, amount receivable, delivery range) were available for sale on the RaidForums forum and could be accessed using the link https://raidforums.com/Thread-SELLING-=æ-SAMEDAY- RO-Romanian-Postal-Service.<br />
<br />
As such, it was S.C. Delivery Solutions S.A. was fined for failing to implement adequate technical and organizational measures to ensure a level of security appropriate to the processing risk for the rights and freedoms of individuals, which led to the disclosure and / or unauthorized access to personal data for 26,566 persons targeted physical.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_S.C._Delivery_Solutions_S.A._(Sameday)&diff=27085ANSPDCP (Romania) - Fine against S.C. Delivery Solutions S.A. (Sameday)2022-07-17T17:09:06Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against S.C. Delivery Solutions S.A. (Sameday)<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_11_07_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=11.07.2022<br />
|Year=<br />
|Fine=3000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 29 GDPR<br />
|GDPR_Article_Link_1=Article 29 GDPR<br />
|GDPR_Article_2=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#1b<br />
|GDPR_Article_3=Article 32(2) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#2<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=S.C. Delivery Solutions S.A.<br />
|Party_Link_1=https://sameday.ro/?lang=en<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a processor approximately €3.000 after it did not implement necessary technical and organisational measures which led to a database containing the personal data of 26.566 individuals being made available online for sale. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
S.C. Delivery Solutions S.A., or Sameday - as it is commonly known in Romania, is a courier company and the data processor for two controllers. As a processor, Sameday is required to implement the necessary technical and organisational measures to ensure the security of the personal data processed on behalf of the controllers. However, the database used by Sameday and containing the personal data of 26.566 customers (name of the recipient, contact details, address of the recipient, parcel details, delivery status etc.) was found for sale online on a website which is later seized by FBI, Europol and other European national police agencies (link https://raidforums.com/Thread-SELLING-=æ-SAMEDAY-RO-Romanian-Postal-Service).<br />
<br />
=== Holding ===<br />
After a data subject found the database available for sale online, it reported it to the Romanian DPA, which started an investigation against the processor. During the investigation, the DPA discovered that the processor did not adopt the necessary technical and organisational measures to ensure the security of the personal data, and therefore, the data concerning 26.566 individuals was available online for sale. As result, the controller was found in breach of GDPR Article 29, 32(1)b, and 32(2) and fined approximately €3.000 (RON 14.825,70).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
11.07.2022<br />
<br />
Sanction for violating the RGPD<br />
<br />
<br />
<br />
In June, the National Supervisory Authority completed an investigation at S.C. Delivery Solutions S.A. (Sameday) and found a violation of the provisions of art. 29, art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation.<br />
<br />
SC Delivery Solutions S.A. (Sameday) was sanctioned with a fine of 14,825.70 lei (equivalent to 3,000 EURO).<br />
<br />
The investigation was initiated as a result of complaints filed by a natural person who reported that the database of S.C. Delivery Solutions S.A. (Sameday) is for sale on the website https://raidforums.com/Thread-SELLING-=ae-SAMEDAY-RO-Romanian-Postal-Service.<br />
<br />
In the investigation, it was noted that S.C. Delivery Solutions S.A. (Sameday) is the person authorized by two companies for the processing of personal data, being obliged to take all necessary measures to systematically protect the processing of personal data of individuals, as provided in art. 28 para. (3) lit. c) of the RGPD, including against disclosure and / or unauthorized access to data.<br />
<br />
It was also found that personal data belonging to a number of 26566 individuals concerned (number and date AWB - transport document that accompanies the shipment of any package, courier codes, sender name, name and surname of the recipient, telephone number, address , delivery status, type of service, package weight, amount receivable, delivery range) were available for sale on the RaidForums forum and could be accessed using the link https://raidforums.com/Thread-SELLING-=æ-SAMEDAY- RO-Romanian-Postal-Service.<br />
<br />
As such, it was S.C. Delivery Solutions S.A. was fined for failing to implement adequate technical and organizational measures to ensure a level of security appropriate to the processing risk for the rights and freedoms of individuals, which led to the disclosure and / or unauthorized access to personal data for 26,566 persons targeted physical.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_E_Software_Concept_SRL&diff=27084ANSPDCP (Romania) - Fine against E Software Concept SRL2022-07-17T16:40:17Z<p>DianaR: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against E Software Concept SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_07_07_2022_02&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=07.07.2022<br />
|Year=<br />
|Fine=4000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=Article 32(2) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#2<br />
|GDPR_Article_3=Article 58(1)(a) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#1a<br />
|GDPR_Article_4=Article 58(1)(e) GDPR<br />
|GDPR_Article_Link_4=Article 58 GDPR#1e<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=E Software Concept SRL<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller approximately € 4,000 for not implementing appropriate technical and organisational measures, and for not replying to the DPA's inquiries during its investigation. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The controller E SOFTWARE CONCEPT SRL published on their website several documents, including client invoices and tracking numbers for the parcels sent to their clients. These documents included the personal data of their clients, including names, surnames, delivery addresses, phone numbers, usernames, passwords and email addresses. <br />
<br />
=== Holding ===<br />
In May 2022, the Romanian DPA started an investigation against the controller and even if the DPA required further information regarding the security measures addopted by the controller, the controller did not reply to the formal request for information submitted by the Authority. As result, the controller was fined: <br />
<br />
* approximately € 1,000 (RON 4,945.54) for not answering the Authority's request, in breach of GDPR Article 58(1)a and e, and<br />
* approximately € 3,000 (RON 14,837.10 ) for not implementing the appropriate technical and organisational measures to ensure a proper level of security and confidentiality for personal data, in breach of GDPR Article 32(1)b and 32(2).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
07.07.2022<br />
<br />
Fine for violation of RGPD<br />
<br />
<br />
<br />
The National Supervisory Authority completed in May of this year an investigation at the operator E Software Concept SRL and found a violation of the provisions of art. 58 para. (1) lit. a) and e) and of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation.<br />
<br />
As such, the company E Software Concept SRL was sanctioned for minor offenses as follows:<br />
<br />
fine in the amount of 4,945.54 lei, the equivalent of 1000 EURO, as the operator did not provide the information requested by the Supervisory Authority; fine in the amount of 14,837.10 lei, the equivalent of 3000 EURO, as the operator did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk.<br />
<br />
During the investigation, it was found that, on the operator's website, at certain links, certain documents were publicly available (such as invoices issued by E SOFTWARE CONCEPT SRL to its customers, individuals and legal entities, and AWBs - transport documents that must accompany the sending of parcels, issued by courier service applicants) by which the following personal data were revealed: name, surname, sender and consignee address, telephone number, username and password, e-mail addresses . This situation has led to the loss of confidentiality of personal data of the operator's customers (individuals and legal entities).<br />
<br />
Thus, the company E SOFTWARE CONCEPT SRL was sanctioned with a fine for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation, as it has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing.<br />
<br />
At the same time, the operator was fined for failing to comply with the request for information addressed by the National Supervisory Authority in the exercise of its powers.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_E_Software_Concept_SRL&diff=27083ANSPDCP (Romania) - Fine against E Software Concept SRL2022-07-17T16:39:04Z<p>DianaR: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against E Software Concept SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_07_07_2022_02&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=07.07.2022<br />
|Year=<br />
|Fine=4000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=Article 32(2) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#2<br />
|GDPR_Article_3=Article 58(1)(a) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#1a<br />
|GDPR_Article_4=Article 58(1)(e) GDPR<br />
|GDPR_Article_Link_4=Article 58 GDPR#1e<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=E Software Concept SRL<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller approximately € 4,000 for not implementing appropriate technical and organisational measures, and for not replying to the DPA's inquiries during its investigation. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The controller E SOFTWARE CONCEPT SRL published on their website several documents, including client invoices and tracking numbers for the parcels sent to their clients. These documents included the personal data of their clients, including names, surnames, delivery addresses, phone numbers, usernames, passwords and email addresses. <br />
<br />
=== Holding ===<br />
In May 2022, the Romanian DPA started an investigation against the controller and even if the DPA required further information regarding the security measures addopted by the controller, the controller did not reply to the formal request for information submitted by the Authority. As result, the controller was fined: <br />
<br />
* approximately € 1,000 (RON 4,945.54) for not answering the Authority's request, in breach of GDPR Article 58(1)a and e, and<br />
* approximately € 3,000 (RON 14,837.10 ) for not implementing the appropriate technical and organisational measures to ensure a proper level of security and confidentiality for personal data, in breach of GDPR Article 32(1)b and 32(2).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
07.07.2022<br />
<br />
Fine for violation of RGPD<br />
<br />
<br />
<br />
The National Supervisory Authority completed in May of this year an investigation at the operator E Software Concept SRL and found a violation of the provisions of art. 58 para. (1) lit. a) and e) and of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation.<br />
<br />
As such, the company E Software Concept SRL was sanctioned for minor offenses as follows:<br />
<br />
fine in the amount of 4,945.54 lei, the equivalent of 1000 EURO, as the operator did not provide the information requested by the Supervisory Authority; fine in the amount of 14,837.10 lei, the equivalent of 3000 EURO, as the operator did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk.<br />
<br />
During the investigation, it was found that, on the operator's website, at certain links, certain documents were publicly available (such as invoices issued by E SOFTWARE CONCEPT SRL to its customers, individuals and legal entities, and AWBs - transport documents that must accompany the sending of parcels, issued by courier service applicants) by which the following personal data were revealed: name, surname, sender and consignee address, telephone number, username and password, e-mail addresses . This situation has led to the loss of confidentiality of personal data of the operator's customers (individuals and legal entities).<br />
<br />
Thus, the company E SOFTWARE CONCEPT SRL was sanctioned with a fine for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation, as it has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing.<br />
<br />
At the same time, the operator was fined for failing to comply with the request for information addressed by the National Supervisory Authority in the exercise of its powers.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_E_Software_Concept_SRL&diff=27082ANSPDCP (Romania) - Fine against E Software Concept SRL2022-07-17T16:34:31Z<p>DianaR: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against E Software Concept SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_07_07_2022_02&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=07.07.2022<br />
|Year=<br />
|Fine=4000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=Article 32(2) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#2<br />
|GDPR_Article_3=Article 58(1)(a) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#1a<br />
|GDPR_Article_4=Article 58(1)(e) GDPR<br />
|GDPR_Article_Link_4=Article 58 GDPR#1e<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller approximately € 4,000 for not implementing appropriate technical and organisational measures, and for not replying to the DPA's inquiries during its investigation. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The controller E SOFTWARE CONCEPT SRL published on their website several documents, including client invoices and tracking numbers for the parcels sent to their clients. These documents included the personal data of their clients, including names, surnames, delivery addresses, phone numbers, usernames, passwords and email addresses. <br />
<br />
=== Holding ===<br />
In May 2022, the Romanian DPA started an investigation against the controller and even if the DPA required further information regarding the security measures addopted by the controller, the controller did not reply to the formal request for information submitted by the Authority. As result, the controller was fined: <br />
<br />
* approximately € 1,000 (RON 4,945.54) for not answering the Authority's request, in breach of GDPR Article 58(1)a and e, and<br />
* approximately € 3,000 (RON 14,837.10 ) for not implementing the appropriate technical and organisational measures to ensure a proper level of security and confidentiality for personal data, in breach of GDPR Article 32(1)b and 32(2).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
07.07.2022<br />
<br />
Fine for violation of RGPD<br />
<br />
<br />
<br />
The National Supervisory Authority completed in May of this year an investigation at the operator E Software Concept SRL and found a violation of the provisions of art. 58 para. (1) lit. a) and e) and of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation.<br />
<br />
As such, the company E Software Concept SRL was sanctioned for minor offenses as follows:<br />
<br />
fine in the amount of 4,945.54 lei, the equivalent of 1000 EURO, as the operator did not provide the information requested by the Supervisory Authority; fine in the amount of 14,837.10 lei, the equivalent of 3000 EURO, as the operator did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk.<br />
<br />
During the investigation, it was found that, on the operator's website, at certain links, certain documents were publicly available (such as invoices issued by E SOFTWARE CONCEPT SRL to its customers, individuals and legal entities, and AWBs - transport documents that must accompany the sending of parcels, issued by courier service applicants) by which the following personal data were revealed: name, surname, sender and consignee address, telephone number, username and password, e-mail addresses . This situation has led to the loss of confidentiality of personal data of the operator's customers (individuals and legal entities).<br />
<br />
Thus, the company E SOFTWARE CONCEPT SRL was sanctioned with a fine for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation, as it has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing.<br />
<br />
At the same time, the operator was fined for failing to comply with the request for information addressed by the National Supervisory Authority in the exercise of its powers.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_E_Software_Concept_SRL&diff=27081ANSPDCP (Romania) - Fine against E Software Concept SRL2022-07-17T16:31:43Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against E Software Concept SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_07_07_2022_02&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=07.07.2022<br />
|Year=<br />
|Fine=4000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=Article 32(2) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#2<br />
|GDPR_Article_3=Article 58(1)(a) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#1a<br />
|GDPR_Article_4=Article 58(1)(e) GDPR<br />
|GDPR_Article_Link_4=Article 58 GDPR#1e<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller approximately € 4,000 for not implementing appropriate technical and organisational measures, and for not replying to the DPA's inquiries during the investigation. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The controller E SOFTWARE CONCEPT SRL published on their website several documents, including client invoices and tracking numbers for the parcels sent to their clients. These documents included the personal data of their clients, including names, surnames, delivery addresses, phone numbers, usernames, passwords and email addresses. <br />
<br />
=== Holding ===<br />
In May 2022, the Romanian DPA started an investigation against the controller and even if the DPA required further information regarding the security measures addopted by the controller, the controller did not reply to the formal request for information submitted by the Authority. As result, the controller was fined:<br />
- approximately € 1,000 (RON 4,945.54) for not answering the Authority's request, in breach of GDPR Article 58(1)a and e, and <br />
- approximately € 3,000 (RON 14,837.10 ) for not implementing the appropriate technical and organisational measures to ensure a proper level of security and confidentiality for personal data, in breach of GDPR Article 32(1)b and 32(2).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
07.07.2022<br />
<br />
Fine for violation of RGPD<br />
<br />
<br />
<br />
The National Supervisory Authority completed in May of this year an investigation at the operator E Software Concept SRL and found a violation of the provisions of art. 58 para. (1) lit. a) and e) and of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation.<br />
<br />
As such, the company E Software Concept SRL was sanctioned for minor offenses as follows:<br />
<br />
fine in the amount of 4,945.54 lei, the equivalent of 1000 EURO, as the operator did not provide the information requested by the Supervisory Authority; fine in the amount of 14,837.10 lei, the equivalent of 3000 EURO, as the operator did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk.<br />
<br />
During the investigation, it was found that, on the operator's website, at certain links, certain documents were publicly available (such as invoices issued by E SOFTWARE CONCEPT SRL to its customers, individuals and legal entities, and AWBs - transport documents that must accompany the sending of parcels, issued by courier service applicants) by which the following personal data were revealed: name, surname, sender and consignee address, telephone number, username and password, e-mail addresses . This situation has led to the loss of confidentiality of personal data of the operator's customers (individuals and legal entities).<br />
<br />
Thus, the company E SOFTWARE CONCEPT SRL was sanctioned with a fine for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation, as it has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing.<br />
<br />
At the same time, the operator was fined for failing to comply with the request for information addressed by the National Supervisory Authority in the exercise of its powers.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Asocia%C8%9Bia_de_Proprietari_Avia%C8%9Biei_Park&diff=26522ANSPDCP (Romania) - Fine against Asociația de Proprietari Aviației Park2022-06-22T06:53:36Z<p>DianaR: /* Facts */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Asociația de Proprietari Aviației Park<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_20_06_2022_2&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=27.05.2022<br />
|Date_Published=20.06.2022<br />
|Year=2022<br />
|Fine=7000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 5(1)(e) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1e<br />
|GDPR_Article_4=Article 5(2) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#2<br />
|GDPR_Article_5=Article 6 GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
|GDPR_Article_7=<br />
|GDPR_Article_Link_7=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a building owners association the equivalent of €7,000 for processing personal data without a legal basis, without properly informing the data subjects and for breaching the data minimisation and storage limitation principles. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A building owners association acting as a controller was processing excessive amounts of personal data without properly informing the data subjects, without a legal basis and without respecting the data minimization and storage limitation principles. Namely:<br />
<br />
* the building owners association acting as a controller instructed one of its processors, a security company, to collect high amounts of personal data (name, surname, personal number, destination, arrival time, leaving time and other remarks) exclusively for the persons entering the building complex and providing delivery services and couriers. <br />
* the video footage captured by the surveillance cameras of the building complex was stored and kept longer than what it was necessary to fulfil the desired purpose.<br />
<br />
=== Holding ===<br />
Following a complaint against the excessive data collection practised by the security agents of a building complex, the Romanian DPA started an investigation against the security company. However, during the investigation, it was found that the security company was acting as a processor on behalf of a building owners association and it was collecting personal data according to the controller's instructions. More precisely, the security guards were collecting the name, surname, personal number, destination, arrival time, leaving time and other remarks of the delivery providers, and this data was kept in an internal register for access. Nevertheless, the entire processing occurred without a proper information of the data subjects, without a legal basis and without respecting the data minimisation principle, in breach of GDPR Articles 5(1)a, b, (2) and 6.<br />
<br />
Additionally, during the investigation, the DPA found that the video surveillance systems aiming to control the access to the building complex did not respect the storage limitation principle, and ware storing the video footage longer than necessary to achieve the desired purpose, in breach of Article 5(1)e and (2). <br />
<br />
As a result, the building owners association was fined the equivalent of: <br />
<br />
* €2,000 (RON 9,885.80) for the breach relating to the data collection of the delivery provider, and <br />
* €5,000 (RON 24,714.50) for the breach relating to the long storage of data collected through surveillance cameras. <br />
<br />
Additionally, the DPA imposed the following corrective measures against the building owners association: <br />
<br />
* the controller must review its technical and organisational measures and implement adequate retention periods; <br />
* the controller must implement the proportionality and storage limitation principles in its practices. <br />
<br />
== Comment ==<br />
This fine was among the highest imposed by the Romanian DPA.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
20.06.2022<br />
<br />
Sanction for violating the RGPD<br />
<br />
<br />
<br />
The National Supervisory Authority completed, on 27.05.2022, an investigation at the operator of the Park Aviation Owners Association, following which the violation of the provisions of the General Data Protection Regulation (RGPD) was found, the operator being sanctioned with a fine as follows:<br />
<br />
fine in the amount of 9,885.80 lei, the equivalent of 2000 EURO for violating the provisions of art. 5 para. (1) lit. a) and c) and par. (2) by reference to art. 6 of the RGPD, as the controller has excessively processed the personal data (name, surname, series and number of the identity document, destination, time of arrival, time of departure, observations) of the deliverers and / or couriers as data subjects, without a justified legal basis related to the purpose of the processing (control of access to the residential complex) and without providing evidence that it provides accurate and complete information to the data subjects, and that the data processed are adequate, relevant and limited to what is necessary in relation to purpose of processing; fine in the amount of 24,714.50 lei, the equivalent of 5000 EURO for violating the provisions of art. 5 para. (1) lit. e) and para. (2) of the RGPD, because the operator has not established a period of storage of personal data processed through the video surveillance system (images) and stored them for a longer period than necessary to fulfill the purpose for which they are processed, respectively the control of the access in the condominium, although it had the obligation to keep the images in a form that would allow the identification of the data subjects for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed.<br />
<br />
At the same time, pursuant to art. 58 para. (2) lit. d) of the RGPD, the following corrective measures were ordered against the operator:<br />
<br />
Review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the procedures for the protection of personal data and the establishment of deadlines for keeping data in a form that allows the identification of data subjects for a period does not exceed the time required to fulfill the purposes for which the data are processed. Evaluation of the processing performed taking into account the principle of proportionality and minimization of data related to the purpose and legal basis of the processing and implementation of the necessary measures to comply with the principles related to the processing of personal data provided by art. 5 of the RGPD.<br />
<br />
The investigation was initiated following a complaint alleging a possible breach of the provisions of the RGPD, as the representatives of the security company collected and processed personal data for the purpose of accessing persons at the entrance to the residential complex, meaning that they requested a series of data to persons entering the complex and noting them in an internal register.<br />
<br />
The investigation revealed that the processing of data for access to the residential complex was carried out under a security contract concluded between the owners' association (operator) and the security company (proxy), by which the association mandated the security company to ensure security and protection of the target by security guards and complete the register of access to persons. In this regard, the operator issued for the power of attorney the instruction according to which the agencies performing the security services complete the Register of Access to Persons with the personal data mentioned in its fields, respectively name, surname, series and no. identity card, destination, time of arrival, time of departure, remarks, exclusively for delivery and / or courier services.<br />
<br />
At the same time, during the investigation it was found that at the level of the residential complex the access control was performed through the video surveillance system, and the Owners Association could not prove compliance with the principle of storage limitation, established by art. 5 para. (1) lit. e) of the RGPD, respectively the establishment of adequate image storage deadlines, finding the existence of stored images with an age of approximately one and a half years.<br />
<br />
In this context, we emphasize that according to art. 4 point 7 of the RGPD, the operator establishes the purpose and the means of processing, and according to art. 28 para. (3) lit. a) of the RGPD the proxy processes the data only on the basis of documented instructions from the operator.<br />
<br />
We also remind you that according to art. 5 of the RGPD, the operator must comply with the principles of data processing, including those on “legality, fairness and transparency”, “data minimization” and “storage limitation”. At the same time, the operator is responsible for compliance with the principles and must demonstrate this compliance ("liability principle").<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Asocia%C8%9Bia_de_Proprietari_Avia%C8%9Biei_Park&diff=26521ANSPDCP (Romania) - Fine against Asociația de Proprietari Aviației Park2022-06-22T06:47:00Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Asociația de Proprietari Aviației Park<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_20_06_2022_2&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=27.05.2022<br />
|Date_Published=20.06.2022<br />
|Year=2022<br />
|Fine=7000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 5(1)(e) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1e<br />
|GDPR_Article_4=Article 5(2) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#2<br />
|GDPR_Article_5=Article 6 GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
|GDPR_Article_7=<br />
|GDPR_Article_Link_7=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a building owners association the equivalent of €7,000 for breaching the data minimisation and storage limitation principles. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A building owners association acting as a controller was processing excessive amounts of personal data without properly informing the data subjects, without a legal basis and without respecting the data minimization principle. Namely:<br />
- the building owners association acting as a controller instructed one of its processors, a security company, to collect high amounts of personal data (name, surname, personal number, destination, arrival time, leaving time and other remarks) exclusively for the persons entering the building complex and providing delivery services and couriers. <br />
- the video footage captured by the surveillance cameras was stored and kept longer than what it was necessary to fulfil the desired purpose.<br />
<br />
=== Holding ===<br />
Following a complaint against the excessive data collection practised by the security agents, the Romanian DPA started an investigation against them. However, during the investigation, it was found that the security company was acting as a processor on behalf of the building owners association and it was collecting personal data according to the controller's instructions. More precisely, the security guards were collecting the name, surname, personal number, destination, arrival time, leaving time and other remarks of the persons entering the building complex and providing delivery services and couriers, and this data was kept in an internal register for access. Nevertheless, the entire processing occurred without a proper information of the data subjects, without a legal basis and without respecting the data minimisation principle, in breach of GDPR Articles 5(1)a, b, (2) and 6.<br />
<br />
Additionally, during the investigation, the DPA found that the video surveillance systems aiming to control the access to the building complex did not respect the storage limitation principle, and was storing the video footage longer than necessary to achieve the purpose, in breach of Article 5(1)e and (2). <br />
<br />
As a result, the building owners association was fined the equivalent of €2,000 (RON 9,885.80) for the breach relating to the data collection of the delivery provider and €5,000 (RON 24,714.50) for the breach relating to the long storage of data collected through surveillance cameras. Additionally, the DPA imposed the following corrective measures against the building owners association:<br />
- the controller must review its technical and organisational measures and implement adequate retention periods;<br />
- the controller must implement the proportionality and storage limitation principles in its practices. <br />
<br />
== Comment ==<br />
This fine was among the highest imposed by the Romanian DPA.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
20.06.2022<br />
<br />
Sanction for violating the RGPD<br />
<br />
<br />
<br />
The National Supervisory Authority completed, on 27.05.2022, an investigation at the operator of the Park Aviation Owners Association, following which the violation of the provisions of the General Data Protection Regulation (RGPD) was found, the operator being sanctioned with a fine as follows:<br />
<br />
fine in the amount of 9,885.80 lei, the equivalent of 2000 EURO for violating the provisions of art. 5 para. (1) lit. a) and c) and par. (2) by reference to art. 6 of the RGPD, as the controller has excessively processed the personal data (name, surname, series and number of the identity document, destination, time of arrival, time of departure, observations) of the deliverers and / or couriers as data subjects, without a justified legal basis related to the purpose of the processing (control of access to the residential complex) and without providing evidence that it provides accurate and complete information to the data subjects, and that the data processed are adequate, relevant and limited to what is necessary in relation to purpose of processing; fine in the amount of 24,714.50 lei, the equivalent of 5000 EURO for violating the provisions of art. 5 para. (1) lit. e) and para. (2) of the RGPD, because the operator has not established a period of storage of personal data processed through the video surveillance system (images) and stored them for a longer period than necessary to fulfill the purpose for which they are processed, respectively the control of the access in the condominium, although it had the obligation to keep the images in a form that would allow the identification of the data subjects for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed.<br />
<br />
At the same time, pursuant to art. 58 para. (2) lit. d) of the RGPD, the following corrective measures were ordered against the operator:<br />
<br />
Review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the procedures for the protection of personal data and the establishment of deadlines for keeping data in a form that allows the identification of data subjects for a period does not exceed the time required to fulfill the purposes for which the data are processed. Evaluation of the processing performed taking into account the principle of proportionality and minimization of data related to the purpose and legal basis of the processing and implementation of the necessary measures to comply with the principles related to the processing of personal data provided by art. 5 of the RGPD.<br />
<br />
The investigation was initiated following a complaint alleging a possible breach of the provisions of the RGPD, as the representatives of the security company collected and processed personal data for the purpose of accessing persons at the entrance to the residential complex, meaning that they requested a series of data to persons entering the complex and noting them in an internal register.<br />
<br />
The investigation revealed that the processing of data for access to the residential complex was carried out under a security contract concluded between the owners' association (operator) and the security company (proxy), by which the association mandated the security company to ensure security and protection of the target by security guards and complete the register of access to persons. In this regard, the operator issued for the power of attorney the instruction according to which the agencies performing the security services complete the Register of Access to Persons with the personal data mentioned in its fields, respectively name, surname, series and no. identity card, destination, time of arrival, time of departure, remarks, exclusively for delivery and / or courier services.<br />
<br />
At the same time, during the investigation it was found that at the level of the residential complex the access control was performed through the video surveillance system, and the Owners Association could not prove compliance with the principle of storage limitation, established by art. 5 para. (1) lit. e) of the RGPD, respectively the establishment of adequate image storage deadlines, finding the existence of stored images with an age of approximately one and a half years.<br />
<br />
In this context, we emphasize that according to art. 4 point 7 of the RGPD, the operator establishes the purpose and the means of processing, and according to art. 28 para. (3) lit. a) of the RGPD the proxy processes the data only on the basis of documented instructions from the operator.<br />
<br />
We also remind you that according to art. 5 of the RGPD, the operator must comply with the principles of data processing, including those on “legality, fairness and transparency”, “data minimization” and “storage limitation”. At the same time, the operator is responsible for compliance with the principles and must demonstrate this compliance ("liability principle").<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_SC_Interactions_Marketing_SRL&diff=26520ANSPDCP (Romania) - Fine against SC Interactions Marketing SRL2022-06-22T05:55:39Z<p>DianaR: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against SC Interactions Marketing SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_20_06_2022_1&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=20.06.2022<br />
|Year=<br />
|Fine=1000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=SC Interactions Marketing SRL<br />
|Party_Link_1=https://www.interactions.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a processor responsible for the implementation of a marketing campaign the equivalent of €1,000 for breaching Article 32(1)b. The processor sent a marketing email to 27 data subjects without hiding the other recipients of the email. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
SC Interactions Marketing SRL is processor providing CRM, marketing and digital services. While promoting a marketing campaign on bahalf of a controller, SC Interactions Marketing SRL sent a marketing email to 27 data subjects without hiding the ther recipients of the email. This way, each recipient of the marketing email had unauthorised access to the email addresses of the other recipients. <br />
<br />
=== Holding ===<br />
Following a complaint filled by one of the affected data subjects, the Romanian DPA started an investigation against the controller on whose behalf the marketing email has been sent. However, during the investigation, it was found that the processor implementing the marketing campaign did not take the necessary technical and organisational measures to ensure the confidentiality of the personal data processed, and therefore the processor was fined the equivalent of €1,000 (RON 4,942.3).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
20.06.2022<br />
<br />
RGPD fine<br />
<br />
<br />
<br />
The National Supervisory Authority completed in May 2022 an investigation at SC Interactions Marketing SRL and found a violation of the provisions of art. 32 para. (1) lit. b) of the General Regulation on Data Protection.<br />
<br />
SC Interactions Marketing SRL, as the proxy of an operator, was sanctioned with a fine in the amount of 4,942.3 lei (equivalent to the amount of 1000 EURO).<br />
<br />
The investigation was initiated as a result of complaints from a data subject who complained that an operator had sent a commercial e-mail message to several persons, thus revealing their e-mail addresses.<br />
<br />
The investigation revealed that SC Interactions Marketing SRL, as a proxy, carried out a campaign for the requested operator, in which it sent a commercial message to the e-mail addresses belonging to a number of 27 people, without hiding them, allowing unauthorized disclosure of email addresses to other recipients.<br />
<br />
As such, SC Interactions Marketing SRL was sanctioned for violating the provisions of art. 32 para. (1) lit. b) of the General Regulation on Data Protection, although, as an authorized person, he had the obligation to adopt appropriate technical and organizational measures in order to ensure the confidentiality of the personal data processed.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_SC_Interactions_Marketing_SRL&diff=26519ANSPDCP (Romania) - Fine against SC Interactions Marketing SRL2022-06-22T05:54:23Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against SC Interactions Marketing SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_20_06_2022_1&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=20.06.2022<br />
|Year=<br />
|Fine=1000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=SC Interactions Marketing SRL<br />
|Party_Link_1=https://www.interactions.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a processor responsible for the implementation of a marketing campaign the equivalent of €1,000 for breaching Article 32(1)b. The processor sent a marketing email to 27 data subjects without hiding the other recipients of the email. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
SC Interactions Marketing SRL is processor providing CRM, marketing and digital services. While promoting a marketing campaign on bahalf of a controller, SC Interactions Marketing SRL sent a marketing email to 27 data subjects without hiding the ther recipients of the email. This way, each recipient of the marketing email had unauthorised access to the email addresses of the other recipients. <br />
<br />
=== Holding ===<br />
Following a complaint filled by one of the affected data subjects, the Romanian DPA started an investigation against the controller on whose behalf the marketing email has been sent. However, during the investigation, it was found that the processor implementing the marketing campaign did not take the necessary technical and organisational measures to ensure the confidentiality of the personal data processed, and therefore fined the equivalent of €1,000 (RON 4,942.3).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
20.06.2022<br />
<br />
RGPD fine<br />
<br />
<br />
<br />
The National Supervisory Authority completed in May 2022 an investigation at SC Interactions Marketing SRL and found a violation of the provisions of art. 32 para. (1) lit. b) of the General Regulation on Data Protection.<br />
<br />
SC Interactions Marketing SRL, as the proxy of an operator, was sanctioned with a fine in the amount of 4,942.3 lei (equivalent to the amount of 1000 EURO).<br />
<br />
The investigation was initiated as a result of complaints from a data subject who complained that an operator had sent a commercial e-mail message to several persons, thus revealing their e-mail addresses.<br />
<br />
The investigation revealed that SC Interactions Marketing SRL, as a proxy, carried out a campaign for the requested operator, in which it sent a commercial message to the e-mail addresses belonging to a number of 27 people, without hiding them, allowing unauthorized disclosure of email addresses to other recipients.<br />
<br />
As such, SC Interactions Marketing SRL was sanctioned for violating the provisions of art. 32 para. (1) lit. b) of the General Regulation on Data Protection, although, as an authorized person, he had the obligation to adopt appropriate technical and organizational measures in order to ensure the confidentiality of the personal data processed.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Concordia_Capital_IFN_S.A.&diff=25888ANSPDCP (Romania) - Fine against Concordia Capital IFN S.A.2022-05-17T01:37:56Z<p>DianaR: /* English Summary */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Concordia Capital IFN S.A.<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_04_05_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=04.05.2022<br />
|Year=<br />
|Fine=4000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1b<br />
|GDPR_Article_3=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1c<br />
|GDPR_Article_4=Article 5(2) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#2<br />
|GDPR_Article_5=Article 6 GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
|GDPR_Article_7=<br />
|GDPR_Article_Link_7=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 5 Law no. 190/2018<br />
|National_Law_Link_1=https://legislatie.just.ro/Public/DetaliiDocument/203151<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Concordia Capital IFN S.A.<br />
|Party_Link_1=https://concordiacapital.ro/start/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller EUR 4,000 for installing video surveillance systems in its offices, monitoring its employees, without a legal basis in breach of Article 6, without respecting GDPR principles stated in Art 5(1)a,b,c and (2) and without having a justified purpose. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After the controller Concordia Capital IFN S.A. installed surveillance cameras inside its offices, its employees filed a complaint with the Romanian DPA.<br />
<br />
=== Holding ===<br />
The Romanian DPA started an investigation and found that: <br />
<br />
* the purpose used to install surveillance cameras, and therefore to process its employees' personal data, was not justified and less intrusive measures could have been used to reach the same purpose (physical security);<br />
* the controller processed the personal data without a legal basis in breach of Article 6 and without respecting the data processing principle stated in Articles 5(1)a, b, c and 5(2);<br />
* the controller did not use the video surveillance systems according to the legal requirements of Article 5 of the national law no. 190/2018 which regulates the conditions of installing video surveillance at the workplace in connection to GDPR Article 6, lit f.<br />
<br />
As a result, the controller was fined approximately EUR 4,000 (RON 19,772.4).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
04.05.2022<br />
<br />
A new sanction for violating the RGPD<br />
<br />
<br />
<br />
In April 2022, the National Supervisory Authority completed an investigation at the Concordia Capital IFN S.A. and found a violation of the provisions of art. 5 and art. 6 of the General Data Protection Regulation.<br />
<br />
Concordia Capital IFN S.A. was sanctioned with a fine in the amount of 19,772.4 lei (equivalent to the amount of 4000 EURO).<br />
<br />
The sanction was applied as a result of a complaint alleging that the operator installed audio-video cameras in the offices of his employees in violation of the legal provisions on the protection of personal data.<br />
<br />
In the investigation initiated by the Supervisory Authority, the following were found:<br />
<br />
that the operator has not proved that the purpose of its rules of procedure (ensuring the protection of persons, property and valuables of the employer and employees) is justified and that other less intrusive means have been used to achieve it which have not proved effective, prior to the adoption of the decision taken in 2020 to use monitoring systems by electronic means of communication and / or by means of video surveillance at work; that the operator did not present evidence regarding the observance of the processing principles regulated by art. 5 para. (1) lit. a), b), c) and par. (2) and the legality conditions provided by art. 6 of the General Regulation on Data Protection, which allows Concordia Capital IFN SA to use the means of video surveillance inside the offices used by its employees and implicitly the processing in this way of the personal data of the persons working in these spaces; that the operator did not present evidence showing that he fulfilled all the conditions provided by art. 5 of Law no. 190/2018.<br />
<br />
In this context, we specify that, by reference to art. 6 lit. f) of the General Regulation on Data Protection, the provisions of art. 5 of Law no. 190/2018 establish the following:<br />
<br />
"If monitoring systems are used by electronic means of communication and / or by means of video surveillance at work, the processing of personal data of employees, in order to achieve the legitimate interests pursued by the employer, is allowed only if:<br />
<br />
a) the legitimate interests pursued by the employer are duly justified and prevail over the interests or the rights and freedoms of the data subjects;<br />
<br />
b) the employer has provided mandatory, complete and explicit prior information to employees;<br />
<br />
c) the employer consulted the union or, as the case may be, the employees' representatives before the introduction of the monitoring systems;<br />
<br />
d) other less intrusive forms and methods for achieving the goal pursued by the employer have not previously proved their effectiveness; and<br />
<br />
e) the duration of storage of personal data is proportional to the purpose of processing, but not more than 30 days, except in situations expressly regulated by law or in duly justified cases. "<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Concordia_Capital_IFN_S.A.&diff=25887ANSPDCP (Romania) - Fine against Concordia Capital IFN S.A.2022-05-17T01:37:00Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Concordia Capital IFN S.A.<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_04_05_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=04.05.2022<br />
|Year=<br />
|Fine=4000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1b<br />
|GDPR_Article_3=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1c<br />
|GDPR_Article_4=Article 5(2) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#2<br />
|GDPR_Article_5=Article 6 GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
|GDPR_Article_7=<br />
|GDPR_Article_Link_7=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 5 Law no. 190/2018<br />
|National_Law_Link_1=https://legislatie.just.ro/Public/DetaliiDocument/203151<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Concordia Capital IFN S.A.<br />
|Party_Link_1=https://concordiacapital.ro/start/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller EUR 4,000 for installing video surveillance systems in its offices, monitoring its employees, without a legal basis in breach of Article 6, without respecting GDPR principles stated in Art 5(1)a,b,c and (2) and without having a justified purpose. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After the controller Concordia Capital IFN S.A. installed surveillance cameras inside its offices, its employees filed a complaint with the Romanian DPA.<br />
<br />
=== Holding ===<br />
The Romanian DPA started an investigation and found that: <br />
- the purpose used to install surveillance cameras, and therefore to process its employees' personal data, was not justified and less intrusive measures could have been used to reach the same purpose (physical security);<br />
- the controller processed the personal data without a legal basis in breach of Article 6 and without respecting the data processing principle stated in Articles 5(1)a, b, c and 5(2);<br />
- the controller did not use the video surveillance systems according to the legal requirements of Article 5 of the national law no. 190/2018 which regulates the conditions of installing video surveillance at the workplace in connection to GDPR Article 6, lit f.<br />
<br />
As a result, the controller was fined approximately EUR 4,000 (RON 19,772.4).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
04.05.2022<br />
<br />
A new sanction for violating the RGPD<br />
<br />
<br />
<br />
In April 2022, the National Supervisory Authority completed an investigation at the Concordia Capital IFN S.A. and found a violation of the provisions of art. 5 and art. 6 of the General Data Protection Regulation.<br />
<br />
Concordia Capital IFN S.A. was sanctioned with a fine in the amount of 19,772.4 lei (equivalent to the amount of 4000 EURO).<br />
<br />
The sanction was applied as a result of a complaint alleging that the operator installed audio-video cameras in the offices of his employees in violation of the legal provisions on the protection of personal data.<br />
<br />
In the investigation initiated by the Supervisory Authority, the following were found:<br />
<br />
that the operator has not proved that the purpose of its rules of procedure (ensuring the protection of persons, property and valuables of the employer and employees) is justified and that other less intrusive means have been used to achieve it which have not proved effective, prior to the adoption of the decision taken in 2020 to use monitoring systems by electronic means of communication and / or by means of video surveillance at work; that the operator did not present evidence regarding the observance of the processing principles regulated by art. 5 para. (1) lit. a), b), c) and par. (2) and the legality conditions provided by art. 6 of the General Regulation on Data Protection, which allows Concordia Capital IFN SA to use the means of video surveillance inside the offices used by its employees and implicitly the processing in this way of the personal data of the persons working in these spaces; that the operator did not present evidence showing that he fulfilled all the conditions provided by art. 5 of Law no. 190/2018.<br />
<br />
In this context, we specify that, by reference to art. 6 lit. f) of the General Regulation on Data Protection, the provisions of art. 5 of Law no. 190/2018 establish the following:<br />
<br />
"If monitoring systems are used by electronic means of communication and / or by means of video surveillance at work, the processing of personal data of employees, in order to achieve the legitimate interests pursued by the employer, is allowed only if:<br />
<br />
a) the legitimate interests pursued by the employer are duly justified and prevail over the interests or the rights and freedoms of the data subjects;<br />
<br />
b) the employer has provided mandatory, complete and explicit prior information to employees;<br />
<br />
c) the employer consulted the union or, as the case may be, the employees' representatives before the introduction of the monitoring systems;<br />
<br />
d) other less intrusive forms and methods for achieving the goal pursued by the employer have not previously proved their effectiveness; and<br />
<br />
e) the duration of storage of personal data is proportional to the purpose of processing, but not more than 30 days, except in situations expressly regulated by law or in duly justified cases. "<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Megareduceri_TV_S.R.L&diff=25886ANSPDCP (Romania) - Fine against Megareduceri TV S.R.L2022-05-17T01:13:19Z<p>DianaR: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Megareduceri TV S.R.L<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_03_05_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=03.05.2022<br />
|Year=<br />
|Fine=4000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 58(1) GDPR<br />
|GDPR_Article_Link_1=Article 58 GDPR#1<br />
|GDPR_Article_2=Article 83(5)(e) GDPR<br />
|GDPR_Article_Link_2=Article 83 GDPR#5e<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Megareduceri TV S.R.L<br />
|Party_Link_1=https://megareduceri.tv/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller EUR 4,000 after it failed to collaborate during an investigation, in breach of Articles 83(5)e and 58(1).<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After receiving several marketing communications via SMS without offering their consent, a number of data subjects filed a series of complaints with the Romanian DPA against the controller Megareduceri TV S.R.L. <br />
<br />
=== Holding ===<br />
The Romanian DPA started an investigation against the controller but their request to access the relevant documentation was not executed. As a result, the controller was found in breach of GDPR Articles 83(5)e and 58(1), was fined approximately EUR 4,000 (RON 19795.6) and was applied the corrective measures of:<br />
<br />
* ensuring compliance with GDPR, including avoiding processing personal data for marketing purposes without a legal basis;<br />
* taking the necessary measures and evaluating the means through which personal data is processed for marketing purposes.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
03.05.2022<br />
<br />
RGPD fine<br />
<br />
<br />
<br />
The National Supervisory Authority completed in March 2022 an investigation into the operator Megareduceri TV S.R.L., to which it imposed a fine, as a result of the fact that this operator did not provide the information requested by our institution, thus violating the provisions of art. 83 para. (5) lit. e) correlated with the provisions of art. 58 para. (1) of the General Data Protection Regulation.<br />
<br />
As such, the operator Megareduceri TV S.R.L was sanctioned with a fine in the amount of 19795.6 lei (equivalent to the amount of 4,000 EURO).<br />
<br />
The investigation was started as a result of the complaints of several petitioners who notified us that they had received by sms commercial messages promoting the services on the site www.reducerazi.ro, without having expressed their consent to receive such messages on personal phone numbers.<br />
<br />
As the operator did not respond to our institution's requests, although he confirmed their receipt, he was fined.<br />
<br />
At the same time, the following corrective measures were applied to the operator:<br />
<br />
the corrective action to ensure that the processing operations comply with the provisions of the RGPD, respectively to avoid situations of processing of personal data without the consent of the data subjects and without the existence of another situation in which the consent is not required; the corrective action is to take the necessary steps to evaluate the processing of personal data so that data such as telephone numbers are no longer processed for the purpose of direct marketing or the transmission of commercial communications by electronic communications services to the public without the express prior consent of targeted persons.<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Megareduceri_TV_S.R.L&diff=25885ANSPDCP (Romania) - Fine against Megareduceri TV S.R.L2022-05-17T01:12:38Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Megareduceri TV S.R.L<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_03_05_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=03.05.2022<br />
|Year=<br />
|Fine=4000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 58(1) GDPR<br />
|GDPR_Article_Link_1=Article 58 GDPR#1<br />
|GDPR_Article_2=Article 83(5)(e) GDPR<br />
|GDPR_Article_Link_2=Article 83 GDPR#5e<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Megareduceri TV S.R.L<br />
|Party_Link_1=https://megareduceri.tv/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller EUR 4,000 after it failed to collaborate during an investigation, in breach of Articles 83(5)e and 58(1).<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After receiving several marketing communications via SMS without offering their consent, a number of data subjects filed a series of complaints with the Romanian DPA against the controller Megareduceri TV S.R.L. <br />
<br />
=== Holding ===<br />
The Romanian DPA started an investigation against the controller but their request to access the relevant documentation was not executed. As a result, the controller was found in breach of GDPR Articles 83(5)e and 58(1), was fined approximately EUR 4,000 (RON 19795.6) and was applied the corrective measures of:<br />
- ensuring compliance with GDPR, including avoiding processing personal data for marketing purposes without a legal basis;<br />
- taking the necessary measures and evaluating the means through which personal data is processed for marketing purposes.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
03.05.2022<br />
<br />
RGPD fine<br />
<br />
<br />
<br />
The National Supervisory Authority completed in March 2022 an investigation into the operator Megareduceri TV S.R.L., to which it imposed a fine, as a result of the fact that this operator did not provide the information requested by our institution, thus violating the provisions of art. 83 para. (5) lit. e) correlated with the provisions of art. 58 para. (1) of the General Data Protection Regulation.<br />
<br />
As such, the operator Megareduceri TV S.R.L was sanctioned with a fine in the amount of 19795.6 lei (equivalent to the amount of 4,000 EURO).<br />
<br />
The investigation was started as a result of the complaints of several petitioners who notified us that they had received by sms commercial messages promoting the services on the site www.reducerazi.ro, without having expressed their consent to receive such messages on personal phone numbers.<br />
<br />
As the operator did not respond to our institution's requests, although he confirmed their receipt, he was fined.<br />
<br />
At the same time, the following corrective measures were applied to the operator:<br />
<br />
the corrective action to ensure that the processing operations comply with the provisions of the RGPD, respectively to avoid situations of processing of personal data without the consent of the data subjects and without the existence of another situation in which the consent is not required; the corrective action is to take the necessary steps to evaluate the processing of personal data so that data such as telephone numbers are no longer processed for the purpose of direct marketing or the transmission of commercial communications by electronic communications services to the public without the express prior consent of targeted persons.<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_LORIS_FUEL_SHOP_SRL&diff=25884ANSPDCP (Romania) - Fine against LORIS FUEL SHOP SRL2022-05-17T00:52:32Z<p>DianaR: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against LORIS FUEL SHOP SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_12_05_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=12.05.2022<br />
|Year=<br />
|Fine=1000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 29 GDPR<br />
|GDPR_Article_Link_1=Article 29 GDPR<br />
|GDPR_Article_2=Article 32(4) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#4<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=LORIS FUEL SHOP SRL<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a gas stop EUR 1,000 after a video footage captured by its surveillance cameras was accessed by an unauthorised person and further uploaded on Facebook unlawfully, in breach of Articles 29 and 32(4). <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject's video footage captured by the surveillance cameras of a gas stop was inadequately processed and consequently accessed by an unauthorised person. The respective video was further unlawfully uploaded on Facebook, and, as a result, the data subject filed a complaint with the Romanian DPA.<br />
<br />
=== Holding ===<br />
The Romanian DPA started an investigation against the gas station responsible for the unlawful processing of the video footage and found a violation of GDPR Articles 29 and 32(2). Namely, the controller LORIS FUEL SHOP SRL did not implement the necessary technical and organisational measures, especially, it did not train its employees to ensure adequate protection of the personal data. The controller was fined approximately EUR 1,000 (RON 4.941,3) and it is now required to implement the necessary technical and organisational measures, including to train its employees to protect and to enable the security of the personal data processed through video surveillance. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
12.05.2022<br />
<br />
Sanction for violating the RGPD<br />
<br />
<br />
<br />
The National Supervisory Authority completed in April 2022 an investigation at the operator LORIS FUEL SHOP SRL and found the violation of the provisions of art.29 and art.32 par. (4) of the General Data Protection Regulation (RGPD).<br />
<br />
The operator LORIS FUEL SHOP SRL was sanctioned with a fine in the amount of 4,941.3 lei, the equivalent of 1,000 EURO.<br />
<br />
The investigation was initiated following a complaint in which the petitioner claimed the publication on Facebook of some images in which he was caught and which came from the monitor belonging to a video surveillance system installed in a gas station in Harghita County.<br />
<br />
During the investigation, it was found that the operator LORIS FUEL SHOP SRL, as a proxy, did not adopt sufficient appropriate technical and organizational measures to ensure the confidentiality of personal data processed on images recorded through the television system installed in the stations used, in especially in terms of training data controllers under its authority (employees). This led to the viewing and filming by unauthorized third parties of the images of the video cameras from the working point in Harghita County, later being revealed on a social network, thus violating the provisions of art. 29 and 32 para. (4) of Regulation (EU) 2016/679.<br />
<br />
At the same time, during the investigation of the operator LORIS FUEL SHOP SRL, a corrective measure was applied to ensure compliance with RGPD of personal data processing operations, by implementing appropriate technical and organizational measures, especially in terms of training data processors under the authority (employees or collaborators), by regularly organizing training sessions with them, in connection with their obligations regarding the processing of personal data through the video system installed in stations, the verification of access to recordings of images stored on DVR, rapid detection, management and reporting of personal data breaches.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_LORIS_FUEL_SHOP_SRL&diff=25883ANSPDCP (Romania) - Fine against LORIS FUEL SHOP SRL2022-05-17T00:50:16Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against LORIS FUEL SHOP SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_12_05_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=12.05.2022<br />
|Year=<br />
|Fine=1000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 29 GDPR<br />
|GDPR_Article_Link_1=Article 29 GDPR<br />
|GDPR_Article_2=Article 32(4) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#4<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=LORIS FUEL SHOP SRL<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a gas stop EUR 1,000 after a video footage captured by its surveillance cameras was accessed by an unauthorised person and further uploaded on Facebook unlawfully, in breach of Articles 29 and 32(4). <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject's video footage captured by the surveillance cameras of a gas stop was inadequately processed and consequently accessed by an unauthorised person. The respective video was further unlawfully uploaded on Facebook, and, as a result, the data subject filed a complaint with the Romanian DPA.<br />
<br />
=== Holding ===<br />
The Romanian DPA started an investigation against the gas station responsible for the lawful processing of the video footage and found a violation of GDPR Articles 29 and 32(2). Namely, the controller LORIS FUEL SHOP SRL did not implement the necessary technical and organisational measures, especially, it did not train its employees to ensure adequate protection of the personal data. The controller was fined approximately EUR 1,000 (RON 4.941,3) and it is now required to implement the necessary technical and organisational measures, including organising to train its employees to protect and to enable the security of the personal data processed through video surveillance. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
12.05.2022<br />
<br />
Sanction for violating the RGPD<br />
<br />
<br />
<br />
The National Supervisory Authority completed in April 2022 an investigation at the operator LORIS FUEL SHOP SRL and found the violation of the provisions of art.29 and art.32 par. (4) of the General Data Protection Regulation (RGPD).<br />
<br />
The operator LORIS FUEL SHOP SRL was sanctioned with a fine in the amount of 4,941.3 lei, the equivalent of 1,000 EURO.<br />
<br />
The investigation was initiated following a complaint in which the petitioner claimed the publication on Facebook of some images in which he was caught and which came from the monitor belonging to a video surveillance system installed in a gas station in Harghita County.<br />
<br />
During the investigation, it was found that the operator LORIS FUEL SHOP SRL, as a proxy, did not adopt sufficient appropriate technical and organizational measures to ensure the confidentiality of personal data processed on images recorded through the television system installed in the stations used, in especially in terms of training data controllers under its authority (employees). This led to the viewing and filming by unauthorized third parties of the images of the video cameras from the working point in Harghita County, later being revealed on a social network, thus violating the provisions of art. 29 and 32 para. (4) of Regulation (EU) 2016/679.<br />
<br />
At the same time, during the investigation of the operator LORIS FUEL SHOP SRL, a corrective measure was applied to ensure compliance with RGPD of personal data processing operations, by implementing appropriate technical and organizational measures, especially in terms of training data processors under the authority (employees or collaborators), by regularly organizing training sessions with them, in connection with their obligations regarding the processing of personal data through the video system installed in stations, the verification of access to recordings of images stored on DVR, rapid detection, management and reporting of personal data breaches.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Condor_SA&diff=25007ANSPDCP (Romania) - Fine against Condor SA2022-03-28T20:35:26Z<p>DianaR: /* Holding */ alignment of the paragraphs with bullet points</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Condor SA<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_28_03_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=28.03.2022<br />
|Year=<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1<br />
|GDPR_Article_2=Article 32(2) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#2<br />
|GDPR_Article_3=Article 32(4) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#4<br />
<br />
<br />
<br />
|Party_Name_1=Condor SA<br />
|Party_Link_1=https://www.condor-sa.ro/index_en.html<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller approx € 2000 for not implementing the necessary security measures, granting unauthorized access to the personal data of its current and former employees. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
During an investigation, the Romanian DPA found that a controller, a parachute and military flight equipment manufacturer, did not implement the necessary security measures which led to unauthorized access to personal data. As result, personal data of current and former employees of the controller such as name, role, salary, bank account, personal number etc. were accessed by an unauthorized person. <br />
<br />
=== Holding ===<br />
The DPA decided that the controller: <br />
<br />
* did not prove to have implemented the necessary technical and organisational measures to ensure the confidentiality of its employees' personal data; <br />
* did not prove to have trained its personnel in regards to the protection of personal data. <br />
<br />
As such, the controller was found in breach of GDPR Article 32(1), (2) and (4) and was fined approx € 2000 (RON 9.897,4).<br />
<br />
Additionally, the controller was applied the following corrective measures: <br />
<br />
* it was required to improve its current technical and organisational measures, including training its personnel; <br />
* it was required to contact the person who was granted unauthorized access to the personal data to make sure they will delete or destroy the personal data. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
28.03.2022<br />
<br />
Sanction for violating the RGPD<br />
<br />
<br />
<br />
The National Supervisory Authority completed in March 2022 an investigation at the operator Condor SA and found the violation of the provisions of art. 32 para. (1), (2) and (4) of the General Data Protection Regulation.<br />
<br />
As such, the operator was sanctioned with a fine of 9,897.4 lei (equivalent to 2,000 EURO).<br />
<br />
The investigation was initiated as a result of a complaint alleging that the operator Condor SA disclosed personal data of a salary nature of the employees or former employees of this operator to unauthorized persons.<br />
<br />
In the investigation, it was found that there was unauthorized access to some unspoken documents containing a number of personal data of employees or former employees, such as: place of work, name, surname, position, salary, amount for advance, bank account, personal numeric codes.<br />
<br />
Consequently, the National Supervisory Authority found that the operator Condor SA did not present evidence showing that it had adopted sufficient appropriate technical and organizational measures to ensure the confidentiality of the processed personal data of employees or its former employees. At the same time, it was noted that the operator did not present any evidence showing the training of data controllers under his authority, which led to unauthorized access to documents. Thus, the provisions of art. 32 para. (1), (2), (4) of the General Data Protection Regulation.<br />
<br />
At the same time, during the investigation, two corrective measures were applied to the operator, as follows:<br />
<br />
the corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations, by implementing appropriate technical and organizational measures, including the training of data controllers under its authority; corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations by contacting the person who had unauthorized access to that personal data, with a view to deleting or destroying it, as appropriate.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Condor_SA&diff=25006ANSPDCP (Romania) - Fine against Condor SA2022-03-28T20:33:44Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Condor SA<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_28_03_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=28.03.2022<br />
|Year=<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1<br />
|GDPR_Article_2=Article 32(2) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#2<br />
|GDPR_Article_3=Article 32(4) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#4<br />
<br />
<br />
<br />
|Party_Name_1=Condor SA<br />
|Party_Link_1=https://www.condor-sa.ro/index_en.html<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller approx € 2000 for not implementing the necessary security measures, granting unauthorized access to the personal data of its current and former employees. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
During an investigation, the Romanian DPA found that a controller, a parachute and military flight equipment manufacturer, did not implement the necessary security measures which led to unauthorized access to personal data. As result, personal data of current and former employees of the controller such as name, role, salary, bank account, personal number etc. were accessed by an unauthorized person. <br />
<br />
=== Holding ===<br />
The DPA decided that the controller:<br />
- did not prove to have implemented the necessary technical and organisational measures to ensure the confidentiality of its employees' personal data;<br />
- did not prove to have trained its personnel in regards to the protection of personal data. <br />
<br />
As such, the controller was found in breach of GDPR Article 32(1), (2) and (4) and was fined approx € 2000 (RON 9.897,4).<br />
<br />
Additionally, the controller was applied the following corrective measures: <br />
- it was required to improve its current technical and organisational measures, including training its personnel;<br />
- it was required to contact the person who was granted unauthorized access to the personal data to make sure they will delete or destroy the personal data. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
28.03.2022<br />
<br />
Sanction for violating the RGPD<br />
<br />
<br />
<br />
The National Supervisory Authority completed in March 2022 an investigation at the operator Condor SA and found the violation of the provisions of art. 32 para. (1), (2) and (4) of the General Data Protection Regulation.<br />
<br />
As such, the operator was sanctioned with a fine of 9,897.4 lei (equivalent to 2,000 EURO).<br />
<br />
The investigation was initiated as a result of a complaint alleging that the operator Condor SA disclosed personal data of a salary nature of the employees or former employees of this operator to unauthorized persons.<br />
<br />
In the investigation, it was found that there was unauthorized access to some unspoken documents containing a number of personal data of employees or former employees, such as: place of work, name, surname, position, salary, amount for advance, bank account, personal numeric codes.<br />
<br />
Consequently, the National Supervisory Authority found that the operator Condor SA did not present evidence showing that it had adopted sufficient appropriate technical and organizational measures to ensure the confidentiality of the processed personal data of employees or its former employees. At the same time, it was noted that the operator did not present any evidence showing the training of data controllers under his authority, which led to unauthorized access to documents. Thus, the provisions of art. 32 para. (1), (2), (4) of the General Data Protection Regulation.<br />
<br />
At the same time, during the investigation, two corrective measures were applied to the operator, as follows:<br />
<br />
the corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations, by implementing appropriate technical and organizational measures, including the training of data controllers under its authority; corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations by contacting the person who had unauthorized access to that personal data, with a view to deleting or destroying it, as appropriate.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Kaufland_Rom%C3%A2nia&diff=25005ANSPDCP (Romania) - Fine against Kaufland România2022-03-28T20:04:19Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Kaufland România<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_25_03_2022_1&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=25.03.2022<br />
|Year=<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 15(3) GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR#3<br />
<br />
<br />
<br />
|Party_Name_1=Kaufland România<br />
|Party_Link_1=https://www.kaufland.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined one of the biggest retail shops in Romania (Kaufland) approx € 2000 for not complying with a data subject access request. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject submitted an access request regarding their personal data included in video recordings captured through surveillance systems in one of the biggest retail shops in Romania. In reply to the request, the controller did not send the full copies with all the available recordings which captured personal data of the data subject. <br />
<br />
=== Holding ===<br />
As a result, the data subject filed a complaint with the Romanian Data Protection Authority (DPA) following which the DPA started an investigation against the controller. <br />
<br />
The investigation found that the controller did not fully answer the data subject access request, in breach of GDPR Article 15(3) and consequently, the controller was fiend approx € 2000 (RON 98889,4). Additionally, the controller was required to comply with the corrective measure of answering the data subject request by giving access to copies of all the available recordings that included their personal data, blurring the personal data belonging to other individuals.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
25.03.2022<br />
<br />
Sanction for violating the RGPD<br />
<br />
<br />
<br />
The National Supervisory Authority completed in February 2022 an investigation at the operator Kaufland Romania SCS and found a violation of the provisions of art. 15 para. (3) of the General Data Protection Regulation on access rights.<br />
<br />
As such, the operator was sanctioned with a fine of 98889.4 lei (equivalent to 2000 EURO).<br />
<br />
The investigation was initiated following a complaint, and during the investigation, it was found that the operator Kaufland did not provide the petitioner with a copy of all the recordings in the video surveillance system, which is a violation of art. 15 para. (3) of the General Data Protection Regulation<br />
<br />
Thus, it was found that the operator did not send, at the request of the data subject, a full copy of the records concerning him from the store, although they were available at the time requested by him.<br />
<br />
At the same time, the corrective measure was applied to the operator to communicate to the person concerned all the images requested by him, insofar as they are available, with the blurring of the images that lead to the identification of other persons, according to art. 15 of the General Data Protection Regulation.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_IAMSAT_Muntenia_SA&diff=23855ANSPDCP (Romania) - Fine against IAMSAT Muntenia SA2022-03-01T08:50:12Z<p>DianaR: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against IAMSAT Muntenia SA<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_22_02_2022_1&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=22.02.2022<br />
|Year=<br />
|Fine=3000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 12 GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR<br />
|GDPR_Article_2=Article 12(3) GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR#3<br />
|GDPR_Article_3=Article 13 GDPR<br />
|GDPR_Article_Link_3=Article 13 GDPR<br />
|GDPR_Article_4=Article 21 GDPR<br />
|GDPR_Article_Link_4=Article 21 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=IAMSAT Muntenia SA<br />
|Party_Link_1=https://www.iamsat.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
A controller was fined EUR 1000 for not answering an object request and EUR 2000 for not informing its employees about the video surveillance systems installed at the workplace. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject, ex-employee of a controller, made an object request, asking the controller to stop processing their personal data, considering they did not have anymore an ongoing contractual relationship. The controller did not solve nor reply to the data subject's request before the legal deadline, in breach of GDPR Article 12(3) and 21. <br />
<br />
As such, the data subject filed a complaint with the Romanian DPA. <br />
<br />
During the investigation, besides the facts concerning the data subject's right request, the authority found that the controller was conducting video surveillance at its workplace and therefore processing personal data, without prior information of the employees (data subjects). <br />
<br />
=== Holding ===<br />
The controller was found in breach of:<br />
<br />
* GDPR Articles 12(3) and 21 for not handling the data subject right request and fined approximately EUR 1000 (RON 4.946,2);<br />
* GDPR Articles 12-13 for not informing data subjects on the processing of personal data through video surveillance at the workplace and fined approximately EUR 2000 (RON 9.892,4).<br />
<br />
Additionally, the controller was requested to comply with the following corrective measures: <br />
<br />
* to inform the data subjects and particularly its employees on the data processing activities conducted through video surveillance; <br />
* to reply to the data subject and to solve their request accordingly. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
22.02.2022<br />
<br />
Sanction for violating the RGPD<br />
<br />
<br />
<br />
In February 2022, the National Supervisory Authority completed an investigation at the IAMSAT Muntenia SA operator and found a violation of the provisions of art. 12, art. 13 and art. 21 of the General Data Protection Regulation.<br />
<br />
The operator was sanctioned for minor offenses, as follows:<br />
<br />
fine in the amount of 9,892.4 lei, the equivalent of 2,000 euros for violating the provisions of art. 12-13 of the General Regulation on Data Protection; fine in the amount of 4,946.2 lei, the equivalent of 1,000 euros for violating the provisions of 12 para. (3) and art. 21 of the General Data Protection Regulation.<br />
<br />
The investigation was initiated following a complaint lodged by a data subject who complained that IAMSAT Muntenia SA continued to process his personal data after the termination of his employment contract in 2020. By a request, this person informed the operator that he / she does not consent to the use of his / her e-mail address and that he / she opposes the processing of his / her personal data by IAMSAT Muntenia SA and / or third parties, natural or legal, after the termination of the employment contract.<br />
<br />
During the investigation, it was noted that IAMSAT Muntenia SA did not present evidence regarding the prior and complete information of its employees, including the data subject, before starting the processing of personal data of these persons by means of video surveillance installed in their place. of work, put into operation from the middle of 2020, although the operator had the obligation to inform the employees according to art. 12-13 of the General Regulation on Data Protection.<br />
<br />
At the same time, it was noted that IAMSAT Muntenia SA did not resolve the request of the data subject and did not communicate a response regarding the measures adopted following the exercise of the right of opposition within the legal deadlines, in accordance with the provisions of art. 12 para. (3), reported to art. 21 of the General Data Protection Regulation.<br />
<br />
At the same time, two corrective measures were applied to the operator's investigation, as follows:<br />
<br />
corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations, by providing full information to data subjects, in particular employees of the controller, on the use of the video surveillance system, in relation to the obligations of art. 12-13 of the General Regulation on Data Protection; the corrective measure to send a response to the person concerned to his request, including the measures adopted following the exercise of the right of opposition, by reference to the provisions of art. 12 and 21 of the General Data Protection Regulation.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_IAMSAT_Muntenia_SA&diff=23854ANSPDCP (Romania) - Fine against IAMSAT Muntenia SA2022-03-01T08:44:40Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against IAMSAT Muntenia SA<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_22_02_2022_1&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=22.02.2022<br />
|Year=<br />
|Fine=3000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 12 GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR<br />
|GDPR_Article_2=Article 12(3) GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR#3<br />
|GDPR_Article_3=Article 13 GDPR<br />
|GDPR_Article_Link_3=Article 13 GDPR<br />
|GDPR_Article_4=Article 21 GDPR<br />
|GDPR_Article_Link_4=Article 21 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=IAMSAT Muntenia SA<br />
|Party_Link_1=https://www.iamsat.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
A controller was fined EUR1000 for not answering an objection request and EUR2000 for not informing its employees about the video surveillance systems installed at the workplace. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject, ex-employee of a controller, made an object request, asking the controller to stop processing their personal data considering they did not have anymore an ongoing contractual relationship. The controller did not solve nor reply to the data subject's request before the legal deadline, in breach of GDPR Article 12(3) and 21. <br />
As such, the data subject filed a complaint with the Romanian DPA. <br />
<br />
During the investigation, besides the facts concerning the data subject's right request, the authority found that the controller was conducting video surveillance at its workplace and therefore processing personal data, without priorly informing the employees (data subjects). <br />
<br />
=== Holding ===<br />
The controller was found in breach of:<br />
- GDPR Articles 12(3) and 21 for not handling the data subject right request and fined approximately EUR1000 (RON 4.946,2);<br />
- GDPR Articles 12-13 for not informing data subjects on the processing of personal data through video surveillance at the workplace.<br />
<br />
Additionally, the controller was requested to comply with the following corrective measures: <br />
- to inform the data subjects and particularly its employees on the data processing activities conducted through video surveillance;<br />
- to reply to the data subject and to solve their request accordingly. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
22.02.2022<br />
<br />
Sanction for violating the RGPD<br />
<br />
<br />
<br />
In February 2022, the National Supervisory Authority completed an investigation at the IAMSAT Muntenia SA operator and found a violation of the provisions of art. 12, art. 13 and art. 21 of the General Data Protection Regulation.<br />
<br />
The operator was sanctioned for minor offenses, as follows:<br />
<br />
fine in the amount of 9,892.4 lei, the equivalent of 2,000 euros for violating the provisions of art. 12-13 of the General Regulation on Data Protection; fine in the amount of 4,946.2 lei, the equivalent of 1,000 euros for violating the provisions of 12 para. (3) and art. 21 of the General Data Protection Regulation.<br />
<br />
The investigation was initiated following a complaint lodged by a data subject who complained that IAMSAT Muntenia SA continued to process his personal data after the termination of his employment contract in 2020. By a request, this person informed the operator that he / she does not consent to the use of his / her e-mail address and that he / she opposes the processing of his / her personal data by IAMSAT Muntenia SA and / or third parties, natural or legal, after the termination of the employment contract.<br />
<br />
During the investigation, it was noted that IAMSAT Muntenia SA did not present evidence regarding the prior and complete information of its employees, including the data subject, before starting the processing of personal data of these persons by means of video surveillance installed in their place. of work, put into operation from the middle of 2020, although the operator had the obligation to inform the employees according to art. 12-13 of the General Regulation on Data Protection.<br />
<br />
At the same time, it was noted that IAMSAT Muntenia SA did not resolve the request of the data subject and did not communicate a response regarding the measures adopted following the exercise of the right of opposition within the legal deadlines, in accordance with the provisions of art. 12 para. (3), reported to art. 21 of the General Data Protection Regulation.<br />
<br />
At the same time, two corrective measures were applied to the operator's investigation, as follows:<br />
<br />
corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations, by providing full information to data subjects, in particular employees of the controller, on the use of the video surveillance system, in relation to the obligations of art. 12-13 of the General Regulation on Data Protection; the corrective measure to send a response to the person concerned to his request, including the measures adopted following the exercise of the right of opposition, by reference to the provisions of art. 12 and 21 of the General Data Protection Regulation.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Societatea_Civil%C4%83_Profesional%C4%83_de_Avoca%C8%9Bi_%E2%80%9ESabou,_Burz_%26_Cuc%E2%80%9D&diff=23853ANSPDCP (Romania) - Fine against Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”2022-03-01T08:17:14Z<p>DianaR: /* Facts */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_22_02_2022_2&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=22.02.2022<br />
|Year=<br />
|Fine=1000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1b<br />
|GDPR_Article_3=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1c<br />
|GDPR_Article_4=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1f<br />
|GDPR_Article_5=Article 5(2) GDPR<br />
|GDPR_Article_Link_5=Article 5 GDPR#2<br />
|GDPR_Article_6=Article 6 GDPR<br />
|GDPR_Article_Link_6=Article 6 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
A lawyer's office was fined EUR1000 for disclosing the personal data of one of its clients in a WhatsApp group with 247 members.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After a complaint was filed by a data subject, the Romanian DPA started an investigation against a lawyer's office. The investigation found that, while the lawyer was defending the data subject, they posted on a lawyers' WhatsApp group (with 247 members) a case file containing personal data. <br />
<br />
=== Holding ===<br />
The investigation found that the case file was shared without a valid legal basis and without taking the necessary technical and organisational measures meant to ensure data confidentiality, in breach of GDPR Articles 5(1)a, 5(1)b, 5(1)c, 5(1)f, 5(2), and 6. <br />
<br />
The controller was therefore fined approximately EUR 1000 (RON 4946) and sanctioned with the corrective measures of: <br />
<br />
- being required to notify the members of the WhatsApp group about the breach and to request them to erase the file; <br />
<br />
- being required to comply with GDPR by training its personnel and by avoiding any unlawful data disclosure. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
22.02.2022<br />
<br />
RGPD fine<br />
<br />
<br />
<br />
In February, the National Supervisory Authority completed an investigation at the operator of the Professional Civil Law Firm “Sabou, Burz & Cuc” and found that it had violated the provisions of art. 5 para. (1) lit. a), b), c), f) and par. (2) and of art. 6 of the General Data Protection Regulation.<br />
<br />
The operator of the Professional Civil Law Firm “Sabou, Burz & Cuc” was sanctioned with a fine of 4946 lei, the equivalent of 1,000 EURO.<br />
<br />
The investigation was initiated following a complaint requesting the disclosure by the operator of the personal data of a petitioner (customer of the operator) without his consent and prior information, by posting an address received by him from a public institution on a group of WhatsApp used by lawyers of a bar.<br />
<br />
The investigation found that the Professional Civil Law Firm "Sabou, Burz & Cuc" disclosed the personal data of the data subject (name, surname, home address, information regarding a case pending before a court) on a WhatsApp group consisting of 247 members, without legal basis, excessively and incompatible with the initial purpose of their collection, as well as without the adoption of technical and organizational measures to maintain the confidentiality of these data, thus violating the provisions of art. 5 para. (1) lit. a), b), c), f) and par. (2), as well as of art. 6 of the General Data Protection Regulation.<br />
<br />
At the same time, the following corrective measures were applied to the operator:<br />
<br />
corrective action to ensure compliance with the General Data Protection Regulation of the data collection and further processing of the petitioner's personal data to ensure the notification of all members of the WhatsApp group used by lawyers of a bar in order to delete the address posted on this group; corrective action to ensure compliance with the General Data Protection Regulation of the collection and further processing of personal data in the legal relations of assistance and representation of the operator's customers, so as to avoid disclosure of personal data obtained from them, except in situations permitted by law, including through regular training of data controllers under the authority of the controller.<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Societatea_Civil%C4%83_Profesional%C4%83_de_Avoca%C8%9Bi_%E2%80%9ESabou,_Burz_%26_Cuc%E2%80%9D&diff=23852ANSPDCP (Romania) - Fine against Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”2022-03-01T08:14:17Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_22_02_2022_2&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=22.02.2022<br />
|Year=<br />
|Fine=1000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1b<br />
|GDPR_Article_3=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1c<br />
|GDPR_Article_4=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1f<br />
|GDPR_Article_5=Article 5(2) GDPR<br />
|GDPR_Article_Link_5=Article 5 GDPR#2<br />
|GDPR_Article_6=Article 6 GDPR<br />
|GDPR_Article_Link_6=Article 6 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=Societatea Civilă Profesională de Avocați „Sabou, Burz & Cuc”<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
A lawyer's office was fined EUR1000 for disclosing the personal data of one of its clients in a WhatsApp group with 247 members.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After a complaint was filed by a data subject the Romanian DPA started an investigation against a lawyer's office. The investigation found that, while the lawyer was defending the data subject, they posted on a lawyer's WhatsApp group (with 247 members) a case file containing personal data. <br />
<br />
=== Holding ===<br />
The investigation found that the case file as shared without a valid legal basis and without taking the necessary technical and organisational measures meant to ensure data confidentiality, in breach of GDPR Articles 5(1)a, 5(1)b, 5(1)c, 5(1)f, 5(2), and 6. <br />
<br />
The controller was therefore fined approximately EUR 1000 (RON 4946) and sanctioned with the corrective measures of:<br />
- being required to notify the members of the WhatsApp group and to request the file erasure;<br />
- being required to comply with GDPR by training the personnel and by avoiding any unlawful data disclosure. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
22.02.2022<br />
<br />
RGPD fine<br />
<br />
<br />
<br />
In February, the National Supervisory Authority completed an investigation at the operator of the Professional Civil Law Firm “Sabou, Burz & Cuc” and found that it had violated the provisions of art. 5 para. (1) lit. a), b), c), f) and par. (2) and of art. 6 of the General Data Protection Regulation.<br />
<br />
The operator of the Professional Civil Law Firm “Sabou, Burz & Cuc” was sanctioned with a fine of 4946 lei, the equivalent of 1,000 EURO.<br />
<br />
The investigation was initiated following a complaint requesting the disclosure by the operator of the personal data of a petitioner (customer of the operator) without his consent and prior information, by posting an address received by him from a public institution on a group of WhatsApp used by lawyers of a bar.<br />
<br />
The investigation found that the Professional Civil Law Firm "Sabou, Burz & Cuc" disclosed the personal data of the data subject (name, surname, home address, information regarding a case pending before a court) on a WhatsApp group consisting of 247 members, without legal basis, excessively and incompatible with the initial purpose of their collection, as well as without the adoption of technical and organizational measures to maintain the confidentiality of these data, thus violating the provisions of art. 5 para. (1) lit. a), b), c), f) and par. (2), as well as of art. 6 of the General Data Protection Regulation.<br />
<br />
At the same time, the following corrective measures were applied to the operator:<br />
<br />
corrective action to ensure compliance with the General Data Protection Regulation of the data collection and further processing of the petitioner's personal data to ensure the notification of all members of the WhatsApp group used by lawyers of a bar in order to delete the address posted on this group; corrective action to ensure compliance with the General Data Protection Regulation of the collection and further processing of personal data in the legal relations of assistance and representation of the operator's customers, so as to avoid disclosure of personal data obtained from them, except in situations permitted by law, including through regular training of data controllers under the authority of the controller.<br />
<br />
A.N.S.P.D.C.P.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_SC_Grupex_2000_SRL&diff=22993ANSPDCP (Romania) - Fine against SC Grupex 2000 SRL2022-02-08T23:30:58Z<p>DianaR: /* Facts */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against SC Grupex 2000 SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_01_02_2022_2&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=07.01.2022<br />
|Date_Published=01.02.2022<br />
|Year=2022<br />
|Fine=1000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 3 GDPR<br />
|GDPR_Article_Link_1=Article 3 GDPR<br />
|GDPR_Article_2=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1a<br />
|GDPR_Article_3=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1b<br />
|GDPR_Article_4=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1f<br />
|GDPR_Article_5=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_5=Article 5 GDPR#1c<br />
|GDPR_Article_6=Article 5(2) GDPR<br />
|GDPR_Article_Link_6=Article 5 GDPR#2<br />
|GDPR_Article_7=Article 9 GDPR<br />
|GDPR_Article_Link_7=Article 9 GDPR<br />
<br />
<br />
<br />
|Party_Name_1= SC Grupex 2000 SRL<br />
|Party_Link_1=https://calarasisud.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a news website approximately €1.000 after it published unlawfully a video recording with hospitalised medical patients, in breach of GDPR Articles 3, 5(1)a, 5(1)b, 5(1)c, 5(1)f, 5(2) and 9.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Romanian DPA started an investigation against a news website after a regional Social Assistance Agency in Romania complained about them sharing a video footage obtained illegally. The investigation found that the video footage recorded medical patients hospitalised in a medical institute and publishing it on the news website resulted in sharing the patients' personal data unlawfully.<br />
<br />
=== Holding ===<br />
The controller (the owner of the news website) was found in breach of GDPR Articles 3, 5(1)a, 5(1)b, 5(1)c, 5(1)f, 5(2) and 9, and therefore fined with approximately €1.000 (RON 4.943,60). At the same time, the controller was also subject to a coercive measure to implement its GDPR compliance using appropriate technical and organisational measures.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
01.02.2022<br />
<br />
RGPD fine<br />
<br />
<br />
<br />
The National Supervisory Authority completed on 07.01.2022 an investigation at the operator of SC Grupex 2000 SRL, on which occasion it was found that the provisions of art. 6 and art. 9 by reference to the principles provided by art. 5 para. (1) lit. a), b), c) and f) and par. (2) of the General Data Protection Regulation.<br />
<br />
As such, the operator was sanctioned with a fine of 4,943.60 lei (equivalent to 1,000 EURO).<br />
<br />
The investigation was started as a result of sending notifications from a County Directorate of Social Assistance and Child Protection, having as object the posting of a video material containing images of some patients, published on the website owned by SC Grupex 2000 SRL.<br />
<br />
During the investigation, it was found that SC Grupex 2000 SRL illegally processed the personal data of some individuals, institutionalized patients, in a video material available on the operator's website, in violation of the provisions of art. 6 and art. 9 by reference to the principles provided by art. 5 para. (1) lit. a), b), c) and f) and par. (2) of the RGPD.<br />
<br />
At the same time, during the operator's investigation, the corrective measure was applied to ensure the compliance with RGPD of the personal data processing operations, by implementing adequate technical and organizational measures, in compliance with art. 5 and art. 6 of the RGPD.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
ANSPDCP<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_SC_Grupex_2000_SRL&diff=22992ANSPDCP (Romania) - Fine against SC Grupex 2000 SRL2022-02-08T23:30:06Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against SC Grupex 2000 SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_01_02_2022_2&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=07.01.2022<br />
|Date_Published=01.02.2022<br />
|Year=2022<br />
|Fine=1000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 3 GDPR<br />
|GDPR_Article_Link_1=Article 3 GDPR<br />
|GDPR_Article_2=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1a<br />
|GDPR_Article_3=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1b<br />
|GDPR_Article_4=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1f<br />
|GDPR_Article_5=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_5=Article 5 GDPR#1c<br />
|GDPR_Article_6=Article 5(2) GDPR<br />
|GDPR_Article_Link_6=Article 5 GDPR#2<br />
|GDPR_Article_7=Article 9 GDPR<br />
|GDPR_Article_Link_7=Article 9 GDPR<br />
<br />
<br />
<br />
|Party_Name_1= SC Grupex 2000 SRL<br />
|Party_Link_1=https://calarasisud.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a news website approximately €1.000 after it published unlawfully a video recording with hospitalised medical patients, in breach of GDPR Articles 3, 5(1)a, 5(1)b, 5(1)c, 5(1)f, 5(2) and 9.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Romanian DPA started an investigation against a news website after a regional Social Assistance Agency in Romania complained about them sharing a video footage obtained illegally. The investigation found that the video footage recorded medical patients hospitalised in a medical institute, and publishing it on the news website resulted in sharing the patients' personal data unlawfully.<br />
<br />
=== Holding ===<br />
The controller (the owner of the news website) was found in breach of GDPR Articles 3, 5(1)a, 5(1)b, 5(1)c, 5(1)f, 5(2) and 9, and therefore fined with approximately €1.000 (RON 4.943,60). At the same time, the controller was also subject to a coercive measure to implement its GDPR compliance using appropriate technical and organisational measures.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
01.02.2022<br />
<br />
RGPD fine<br />
<br />
<br />
<br />
The National Supervisory Authority completed on 07.01.2022 an investigation at the operator of SC Grupex 2000 SRL, on which occasion it was found that the provisions of art. 6 and art. 9 by reference to the principles provided by art. 5 para. (1) lit. a), b), c) and f) and par. (2) of the General Data Protection Regulation.<br />
<br />
As such, the operator was sanctioned with a fine of 4,943.60 lei (equivalent to 1,000 EURO).<br />
<br />
The investigation was started as a result of sending notifications from a County Directorate of Social Assistance and Child Protection, having as object the posting of a video material containing images of some patients, published on the website owned by SC Grupex 2000 SRL.<br />
<br />
During the investigation, it was found that SC Grupex 2000 SRL illegally processed the personal data of some individuals, institutionalized patients, in a video material available on the operator's website, in violation of the provisions of art. 6 and art. 9 by reference to the principles provided by art. 5 para. (1) lit. a), b), c) and f) and par. (2) of the RGPD.<br />
<br />
At the same time, during the operator's investigation, the corrective measure was applied to ensure the compliance with RGPD of the personal data processing operations, by implementing adequate technical and organizational measures, in compliance with art. 5 and art. 6 of the RGPD.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
ANSPDCP<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Kaufland_Romania_SCS&diff=22573ANSPDCP (Romania) - Fine against Kaufland Romania SCS2022-01-26T09:25:56Z<p>DianaR: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Kaufland Romania SCS<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_20_01_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=20.01.2022<br />
|Year=<br />
|Fine=3000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 15(3) GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR#3<br />
<br />
<br />
<br />
|Party_Name_1=Kaufland Romania SCS<br />
|Party_Link_1=https://www.kaufland.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined Kaufland Romania approx €3000 for not providing a complete video footage during a data access request. If disclosed, the full recordings would have included and compromised other individuals' images. However, the DPA argued that technical measures could have been implemented to blur such data. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject made an access request, willing to receive a copy of the video recordings from when they were visiting the controller's supermarket (Kaufland). <br />
<br />
Kaufland refused to offer the all the existent footage that including the data subject, arguing that other individuals were captured in those videos, and disclosing such material would affect their rights and freedoms.<br />
<br />
=== Holding ===<br />
The Romanian DPA decided the a controller shall take the necessary technical and organisational measures when answering an access request, to make sure the other individuals' personal data and rights are not affected. The DPA suggested that, in such cases, other individuals' images could have been blurred. <br />
<br />
Therefore, Kaufland did not fully answer an access request from a data subject, in breach of article 15(3) GDPR and it was fined RON 14 846,4 (approx €3000).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
20.01.2022 & # 13;<br />
Sanction for RGPD & # 13;<br />
& # 13;<br />
The National Supervisory Authority completed in December 2021 an investigation at the operator Kaufland Romania SCS and found a violation of the provisions of art. 15 para. (3) of the General Data Protection Regulation, regarding the right of access. & # 13;<br />
As such, the operator was sanctioned with a fine of 14846.4 lei (equivalent to 3000 EURO). & # 13;<br />
The investigation was initiated following a complaint from a data subject that the operator did not provide a full copy of the video recordings for a certain time during which it was in the commercial premises. & # 13;<br />
In the investigation, it was considered that it is the obligation of the operator to communicate a video containing images concerning the data subject, as a result of the exercise of the right of access by him, and the communication of images can be done by the operator by taking shutter action ( "Blurring") of those images that could infringe the rights and freedoms of other individuals, if any. Therefore, the operator is obliged to adopt a series of technical and organizational measures, in order to allow the full exercise of the access right of the data subject, while respecting the rights of other individuals. & # 13;<br />
As such, the National Supervisory Authority found that the operator did not fully communicate the respective video recordings requested, which constitutes a violation of art. 15 para. (3) of the General Data Protection Regulation. & # 13;<br />
& # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Kaufland_Romania_SCS&diff=22571ANSPDCP (Romania) - Fine against Kaufland Romania SCS2022-01-26T09:19:55Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Kaufland Romania SCS<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_20_01_2022&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=20.01.2022<br />
|Year=<br />
|Fine=3000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 15(3) GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR#3<br />
<br />
<br />
<br />
|Party_Name_1=Kaufland Romania SCS<br />
|Party_Link_1=https://www.kaufland.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined Kaufland Romania approx €3000 for not providing a complete video footage during a data access request. If disclosed, the full recordings would have included and compromised other individuals' images. However, the DPA argued that technical measures could have been implemented to blur such data. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject made an access request, willing to receive a copy of the video recordings from when they were visiting the controller's supermarket (Kaufland). <br />
<br />
Kaufland refused to offer the all the existent footage that including the data subject, arguing that other individuals were captured in those videos, and disclosing such material would affect their rights and freedoms.<br />
<br />
=== Holding ===<br />
The Romanian DPA decided the a controller shall take the necessary technical and organisational measures when answering an access request, to make sure the other individuals' personal data and rights are not affected. The DPA suggested that, in such cases, other individuals' images could have been blurred. <br />
<br />
Therefore, Kaufland did not fully answer an access request from a data subject, in breach of article 15(3) GDPR and was fined RON 14 846,4 (approx €3000).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
20.01.2022 & # 13;<br />
Sanction for RGPD & # 13;<br />
& # 13;<br />
The National Supervisory Authority completed in December 2021 an investigation at the operator Kaufland Romania SCS and found a violation of the provisions of art. 15 para. (3) of the General Data Protection Regulation, regarding the right of access. & # 13;<br />
As such, the operator was sanctioned with a fine of 14846.4 lei (equivalent to 3000 EURO). & # 13;<br />
The investigation was initiated following a complaint from a data subject that the operator did not provide a full copy of the video recordings for a certain time during which it was in the commercial premises. & # 13;<br />
In the investigation, it was considered that it is the obligation of the operator to communicate a video containing images concerning the data subject, as a result of the exercise of the right of access by him, and the communication of images can be done by the operator by taking shutter action ( "Blurring") of those images that could infringe the rights and freedoms of other individuals, if any. Therefore, the operator is obliged to adopt a series of technical and organizational measures, in order to allow the full exercise of the access right of the data subject, while respecting the rights of other individuals. & # 13;<br />
As such, the National Supervisory Authority found that the operator did not fully communicate the respective video recordings requested, which constitutes a violation of art. 15 para. (3) of the General Data Protection Regulation. & # 13;<br />
& # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_SC_Nobiotic_Pharma_SRL&diff=21844ANSPDCP (Romania) - Fine against SC Nobiotic Pharma SRL2021-12-14T23:29:37Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against SC Nobiotic Pharma SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_13_12_2021&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=13.12.2021<br />
|Year=2021<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 58(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 58 GDPR#1a<br />
|GDPR_Article_2=Article 58(1)(e) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#1e<br />
<br />
<br />
<br />
|Party_Name_1=SC Nobiotic Pharma SRL<br />
|Party_Link_1=http://nobiotic.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
A controller which did not reply to the DPA's request to provide information regarding its processing operations was fined approximately €2.000.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject filed a complaint after they received unsolicited commercial SMS messages, and had their data processed for direct marketing purposes without consent. <br />
<br />
While starting an investigation, the Romanian DPA required the controller to provide information regarding its processing operations and access to the processed personal data. <br />
<br />
=== Holding ===<br />
The controller did not answer the DPA's requests and therefore was sanctioned with a fine of approximately €2.000 (RON 9.890).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
13.12.2021 & # 13;<br />
RGPD & # 13;<br />
& # 13;<br />
In November of this year, the National Supervisory Authority completed an investigation at the operator of SC Nobiotic Pharma SRL and found a violation of the provisions of art. 58 para. (1) of the General Data Protection Regulation. & # 13;<br />
As such, SC Nobiotic Pharma SRL was sanctioned with a fine in the amount of 9890 lei, the equivalent of 2000 EURO, for violating art. 58 para. (1) of the General Regulation on Data Protection, regarding the obligation of the operator to provide the necessary information to the National Supervisory Authority. & # 13;<br />
In this context, we specify that art. 58 para. (1) lit. a) and e) of the General Data Protection Regulation provide as follows: & # 13;<br />
"(1) Each supervisory authority shall have all the following powers of investigation: & # 13;<br />
a) to order the operator and the person authorized by the operator and, as the case may be, the representative of the operator or the person authorized by the operator to provide any information that the supervisory authority requests in order to carry out its tasks; & # 13;<br />
e) to obtain, from the operator and the person empowered by the operator, access to all personal data and to all information necessary for the performance of his tasks ”. & # 13;<br />
The investigation was carried out as a result of complaints by the petitioner claiming that the operator had sent him unsolicited commercial SMS messages without his consent. & # 13;<br />
As the operator did not comply with the request for information addressed by the National Supervisory Authority in the exercise of its powers, it was sanctioned with a fine. & # 13;<br />
& # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Telekom_Rom%C3%A2nia_Communications_SA_4&diff=21842ANSPDCP (Romania) - Fine against Telekom România Communications SA 42021-12-14T22:54:22Z<p>DianaR: formating</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Telekom România Communications SA 4<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_06_12_2021_2&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=06.12.2021<br />
|Year=2021<br />
|Fine=6000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(d) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1d<br />
|GDPR_Article_2=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1f<br />
|GDPR_Article_3=Article 5(2) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#2<br />
|GDPR_Article_4=Article 17 GDPR<br />
|GDPR_Article_Link_4=Article 17 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=Telekom România Communications SA<br />
|Party_Link_1=https://www.telekom.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
Telekom Romania was fined approximately €6.000 after collecting and processing inaccurate personal data in breach of Articles 5(1)(d), (f) and 5(2), and ignoring a data subject's erasure request in breach of Article 17.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject filed a complaint after Telekom Romania (one of the biggest telecommunication providers in the country) erroneously sent them e-mail invoices and notifications issued for another person. <br />
<br />
The DPA started an investigation and found that the situation was caused due to the fact Telekom collected inaccurate data from one of its clients and it did not take necessary measures to enforce an erasure request. <br />
<br />
=== Holding ===<br />
The DPA decided that collecting inaccurate data and sending invoices and notifications containing personal data to the wrong recipient occurred in breach of GDPR's Article 5(1)d), f) and 5(2) and issued a fine of approximately €5.000 (RON 24.745). <br />
<br />
Not answering the data subject's erasure request was in breach of GDPR's Article 17, and caused a fine of approximately €1.000 (RON 4.949).<br />
<br />
Additionally, the DPA applied two corrective measures:<br />
<br />
- it ordered the controller to bring its processing operations into compliance with the Regulation, by implementing efficient measures which would guarantee the accuracy of personal data at the moment of the collection;<br />
<br />
- it ordered the controller to comply with the data subjects’ erasure and rectification requests, by adopting effective technical and organizational measures which will guarantee the correct implementation of such changes.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
06.12.2021 & # 13;<br />
RGPD & # 13;<br />
& # 13;<br />
The National Supervisory Authority completed in November 2021 an investigation at the operator Telekom Romania Communications SA following which it was found the violation of the provisions of art. 5 para. (1) lit. d) and f) and par. (2), as well as of art. 17 of the General Data Protection Regulation (RGPD). & # 13;<br />
The operator of Telekom Romania Communications S.A. was fined as follows: & # 13;<br />
& # 13;<br />
fine in the amount of 24,745 lei, the equivalent of 5,000 euros, for violating the provisions of art. 5 para. (1) lit. d) and f) and par. (2) of the RGPD; & # 13;<br />
fine in the amount of 4,949 lei, the equivalent of 1,000 euros, for violating the provisions of art. 17 of the RGPD. & # 13;<br />
& # 13;<br />
The investigation was initiated as a result of a complaint made by a data subject claiming the receipt, from the operator Telekom Romania Communications SA, on his e-mail address, of some invoices and notification messages regarding the arrears accumulated by a another person, a subscriber of the same company. & # 13;<br />
During the investigation, the National Supervisory Authority found that the operator had incorrectly collected and processed certain inaccurate personal data, which also led to the illegal disclosure of personal data to another individual, which is a violation of the principles of personal data processing, enshrined in art. 5 para. (1) lit. d) and f) and par. (2) of the General Data Protection Regulation. & # 13;<br />
At the same time, during the investigation, it was found that the operator did not adopt the necessary measures to comply with the request for deletion made, according to art. 17 of the General Data Protection Regulation. & # 13;<br />
The following corrective measures were also applied to the operator: & # 13;<br />
& # 13;<br />
to ensure the compliance with RGPD of the operations of collection and further processing of personal data, by implementing efficient methods to ensure the accuracy of data, including in the case of data collection, such as e-mail address, which allow remote communication of personal data. In this regard, it has been decided to put in place adequate and effective security measures, both from a technical point of view (such as: automated data collection, securing the transmission of documents and messages by encryption / password), and from a technical point of view. from an organizational point of view, through regular training of data controllers under the authority of the operator; & # 13;<br />
to ensure compliance with the RGPD in case of requests for deletion or rectification of personal data, by adopting appropriate technical and organizational measures to ensure the effective and correct implementation of these operations in the database (s) used by the operator and his authorized persons , as well as appropriate training of data controllers under their authority. & # 13;<br />
& # 13;<br />
In this context, it is noted that recital (65) of the General Data Protection Regulation stated that "The data subject should have the right to rectification of personal data concerning him / her and" the right to be forgotten "if that the storage of such data infringes this Regulation or Union law or the national law to which the operator belongs. (...) ”& # 13;<br />
& # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Telekom_Rom%C3%A2nia_Communications_SA_4&diff=21841ANSPDCP (Romania) - Fine against Telekom România Communications SA 42021-12-14T22:53:12Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Telekom România Communications SA 4<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_06_12_2021_2&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=06.12.2021<br />
|Year=2021<br />
|Fine=6000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(d) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1d<br />
|GDPR_Article_2=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1f<br />
|GDPR_Article_3=Article 5(2) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#2<br />
|GDPR_Article_4=Article 17 GDPR<br />
|GDPR_Article_Link_4=Article 17 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=Telekom România Communications SA<br />
|Party_Link_1=https://www.telekom.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
Telekom Romania was fined approximately €6.000 after collecting and processing inaccurate personal data in breach of Articles 5(1)(d), (f) and 5(2), and ignoring a data subject's erasure request in breach of Article 17.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject filed a complaint after Telekom Romania (one of the biggest telecommunication providers in the country) erroneously sent them e-mail invoices and notifications issued for another person. <br />
<br />
The DPA started an investigation and found that the situation was caused due to the fact Telekom collected inaccurate data from one of its clients and it did not take necessary measures to enforce an erasure request. <br />
<br />
=== Holding ===<br />
The DPA decided that collecting inaccurate data and sending invoices and notifications containing personal data to the wrong recipient occurred in breach of GDPR's Article 5(1)d), f) and 5(2) and issued a fine of approximately €5.000 (RON 24.745). <br />
<br />
Not answering the data subject's erasure request was in breach of GDPR's Article 17, and caused a fine of approximately €1.000 (RON 4.949).<br />
<br />
Additionally, the DPA applied two corrective measures:<br />
- it ordered the controller to bring its processing operations into compliance with the Regulation, by implementing efficient measures which would guarantee the accuracy of personal data at the moment of the collection;<br />
- it ordered the controller to comply with the data subjects’ erasure and rectification requests, by adopting effective technical and organizational measures which will guarantee the correct implementation of such changes.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
06.12.2021 & # 13;<br />
RGPD & # 13;<br />
& # 13;<br />
The National Supervisory Authority completed in November 2021 an investigation at the operator Telekom Romania Communications SA following which it was found the violation of the provisions of art. 5 para. (1) lit. d) and f) and par. (2), as well as of art. 17 of the General Data Protection Regulation (RGPD). & # 13;<br />
The operator of Telekom Romania Communications S.A. was fined as follows: & # 13;<br />
& # 13;<br />
fine in the amount of 24,745 lei, the equivalent of 5,000 euros, for violating the provisions of art. 5 para. (1) lit. d) and f) and par. (2) of the RGPD; & # 13;<br />
fine in the amount of 4,949 lei, the equivalent of 1,000 euros, for violating the provisions of art. 17 of the RGPD. & # 13;<br />
& # 13;<br />
The investigation was initiated as a result of a complaint made by a data subject claiming the receipt, from the operator Telekom Romania Communications SA, on his e-mail address, of some invoices and notification messages regarding the arrears accumulated by a another person, a subscriber of the same company. & # 13;<br />
During the investigation, the National Supervisory Authority found that the operator had incorrectly collected and processed certain inaccurate personal data, which also led to the illegal disclosure of personal data to another individual, which is a violation of the principles of personal data processing, enshrined in art. 5 para. (1) lit. d) and f) and par. (2) of the General Data Protection Regulation. & # 13;<br />
At the same time, during the investigation, it was found that the operator did not adopt the necessary measures to comply with the request for deletion made, according to art. 17 of the General Data Protection Regulation. & # 13;<br />
The following corrective measures were also applied to the operator: & # 13;<br />
& # 13;<br />
to ensure the compliance with RGPD of the operations of collection and further processing of personal data, by implementing efficient methods to ensure the accuracy of data, including in the case of data collection, such as e-mail address, which allow remote communication of personal data. In this regard, it has been decided to put in place adequate and effective security measures, both from a technical point of view (such as: automated data collection, securing the transmission of documents and messages by encryption / password), and from a technical point of view. from an organizational point of view, through regular training of data controllers under the authority of the operator; & # 13;<br />
to ensure compliance with the RGPD in case of requests for deletion or rectification of personal data, by adopting appropriate technical and organizational measures to ensure the effective and correct implementation of these operations in the database (s) used by the operator and his authorized persons , as well as appropriate training of data controllers under their authority. & # 13;<br />
& # 13;<br />
In this context, it is noted that recital (65) of the General Data Protection Regulation stated that "The data subject should have the right to rectification of personal data concerning him / her and" the right to be forgotten "if that the storage of such data infringes this Regulation or Union law or the national law to which the operator belongs. (...) ”& # 13;<br />
& # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Societatea_Civil%C4%83_Medical%C4%83_Policlinica_Tommed&diff=21840ANSPDCP (Romania) - Fine against Societatea Civilă Medicală Policlinica Tommed2021-12-14T21:33:16Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Societatea Civilă Medicală Policlinica Tommed<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_06_12_2021_1&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=06.12.2021<br />
|Year=2021<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1b<br />
|GDPR_Article_3=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1f<br />
|GDPR_Article_4=Article 5(2) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#2<br />
|GDPR_Article_5=Article 9 GDPR<br />
|GDPR_Article_Link_5=Article 9 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=Societatea Civilă Medicală Policlinica Tommed<br />
|Party_Link_1=http://www.policlinicatommed.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a medical clinic approximately €2.000 after unlawful discloser of patient health data to another controller. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Romanian DPA started an investigation against a medical clinic after a complaint was filed by one of its patients. The investigation found that the clinic unlawfully disclosed to another controller the personal data belonging to the data subject, including their health-related data. The disclosure occurred disregarding the data protection principles, without a legal basis and without informing the data subject. <br />
<br />
<br />
=== Holding ===<br />
As result, the clinic was fined approximately €2.000 (RON9.898) and the DPA applied a corrective measure, ordering the clinic to bring its processing operations into compliance to prevent further unlawful disclosure and to apply adequate security and confidentiality measures.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
06.12.2021 & # 13;<br />
RGPD & # 13;<br />
& # 13;<br />
In November 2021, the National Supervisory Authority completed an investigation at the operator of the Civil Medical Society Tommed Polyclinic, following which it was found that the provisions of art. 5 para. (1) lit. a), b) and f) and par. (2), corroborated with art. 9 of the General Data Protection Regulation. & # 13;<br />
As such, the operator was sanctioned with a fine of 9898 lei (equivalent to 2,000 euros). & # 13;<br />
The investigation was launched following a complaint alleging that the Tommed Polyclinic Medical Society disclosed certain personal data, including health, of an individual to another operator. & # 13;<br />
During the investigation it was found that the controller disclosed the personal data without respecting the principles of processing and without complying with the legal conditions of processing of personal data, including health, and without prior information of the person involved (patient of the operator). & # 13;<br />
At the same time, the corrective measure was applied to the operator to ensure the compliance with RGPD of the operations of collection and further processing of personal data, so as to avoid the disclosure of personal data processed, in violation of legal conditions, which also involves the application of appropriate measures. security and confidentiality, through the regular training of data controllers under the authority of the controller and the appropriate involvement of the person responsible for the protection of personal data, in accordance with art. 37-39 of the RGPD. & # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_VODAFONE_Rom%C3%A2nia_S.A._5&diff=21322ANSPDCP (Romania) - Fine against VODAFONE România S.A. 52021-11-17T00:14:19Z<p>DianaR: formating and adding links</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against VODAFONE România S.A. 5<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_11_11_2021&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=11.11.2021<br />
|Year=2021<br />
|Fine=2900<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=Article 32(4) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#4<br />
<br />
<br />
|National_Law_Link_1=http://legislatie.just.ro/Public/DetaliiDocument/56973<br />
|National_Law_Name_2=Articles 3(1), 3(3)(a) and 3(3)(b) of Law no. 506/2004<br />
|National_Law_Link_2=http://legislatie.just.ro/Public/DetaliiDocument/56973<br />
<br />
|Party_Name_1=VODAFONE România S.A.<br />
|Party_Link_1=https://www.vodafone.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
Vodafone Romania was sanctioned approx €2,900 for failing to implement sufficient technical and organisational measures which led to the unauthorised access and disclosure of personal data belonging to 70 natural persons. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Romanian DPA started an investigation after the controller Vodafone Romania notified several security incidents that involved personal data. <br />
<br />
One of the incidents led to the unauthorised access and disclosure of personal data belonging to 6 data subjects, while their contracts were sent via email to the wrong recipients and the controller's employees obtained unauthorised access to the individuals' data between 16.11.2020 - 18.05.2021. The investigation found that the controller did not implement sufficient technical and organisational measures to ensure that any person acting under its authority with access to personal data will act according to the controller's instructions - GDPR Article 32(4). The controller also failed to implement necessary measures meant to ensure the confidentiality of data -GDPR Article 32(1)(b).<br />
<br />
Another incident that occurred between 04.11.2020 and 22.06.2021, allowed the controller's employees to have unauthorised access to personal data belonging to 64 individuals. The DPA found that the controller did not implement sufficient technical and organisational measures to ensure that personal data will be accessed only by the authorised employees (Article 3(3)(a) of Law no. 506/2004), failing to ensure protection against unlawful processing, access and disclosure (Article 3(3)(b) of Law no. 506/2004). <br />
<br />
=== Holding ===<br />
As such, the Romanian DPA found a violation of two legal acts concerning the security of processing:<br />
- Article 32(1)(b) and 32(4) of GDPR, and<br />
- Article 3(1), 3(3)(a) and 3(3)(b) of the national Law no. 506/2004.<br />
<br />
The GDPR violation was sanctioned with a fine of approx €1,500 (RON 7,421.25) and the violation of the national Law no. 506/2004 with a fine of approx €1,400 (RON 7,000).<br />
<br />
== Comment ==<br />
(1) In Romania, there are two parallel provisions that require a controller to implement security measures: Article 32 of the GDPR and Article 3 of Law no. 506/2004. The latter is the transposition of the E-Privacy Directive's Article 4.<br />
<br />
<br />
(2) This is the second time Vodafone Romania is sanctioned for not taking the necessary measures to prevent a data breach, more specifically when individuals' data is wrongfully sent to different recipients (the first fine regarding such a violation is summarised on GDPRhub - [https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Vodafone_Rom%C3%A2nia_S.A._4 Fine against Vodafone România S.A. 4]).<br />
<br />
Furthermore, Vodafone Romania has been constantly fined for GDPR/privacy-related violations (out of which [https://gdprhub.eu/index.php?search=vodafone+romania&title=Special%3ASearch&go=Go 4 other decisions are available on GDPRhub]). However, each fine is considerably lower compared to Vodafone's global turnover and consequently, it doesn't have a visible effect on the controller's ways of processing personal data.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
11.11.2021 & # 13;<br />
Sanction for violating RGPD & # 13;<br />
& # 13;<br />
In October 2021, the National Supervisory Authority completed an investigation at the operator VODAFONE Romania S.A. and found a violation of the provisions of art. 32 para. (1) lit. b) and para. (4) of the General Regulation on Data Protection (RGPD), as well as the violation of the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector. & # 13;<br />
Operator S.A. was fined as follows: & # 13;<br />
- fine in the amount of 7,421.25 lei, the equivalent of 1,500 EURO, for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the RGPD; & # 13;<br />
- fine in the amount of 7,000 lei for violating the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. 506/2004 & # 13;<br />
The investigation was initiated following the submission by the controller of several notifications of personal data breaches under the General Data Protection Regulation or Regulation (EU) No 1095/2010. 611/2013. & # 13;<br />
With regard to security breaches notified under the RGPD, the National Supervisory Authority found that the operator did not implement adequate technical and organizational measures to ensure that any natural person acting under the authority of the operator or the person authorized by the operator and having access to personal data shall be processed only at the request of the controller unless this obligation is incumbent on him under Union or national law and to ensure a level of security appropriate to the risk of the processing, including the ability to ensure the confidentiality of the data. 13;<br />
This situation led to unauthorized disclosure and / or unauthorized access to the personal data of a number of 6 individuals, between 16 November 2020 - 18 May 2021 (transmission of service contracts to erroneous e-mail addresses, unauthorized access of the operator's employees to the personal data of Vodafone customers without any requests from them). & # 13;<br />
With regard to security breaches notified under Regulation (EU) no. 611/2013, the National Supervisory Authority found that the operator did not implement adequate technical and organizational measures to ensure the security of personal data processing, to ensure that personal data can be accessed only by persons authorized for the purposes authorized by law and protect personal data stored or transmitted against unlawful processing, access or disclosure. & # 13;<br />
Thus, the operator processed the personal data of 64 individuals by unauthorized access to their data by the operator's employees between November 4, 2020 - June 22, 2021. & # 13;<br />
& # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_VODAFONE_Rom%C3%A2nia_S.A._5&diff=21321ANSPDCP (Romania) - Fine against VODAFONE România S.A. 52021-11-17T00:07:06Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against VODAFONE România S.A. 5<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_11_11_2021&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=11.11.2021<br />
|Year=2021<br />
|Fine=2900<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=Article 32(4) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#4<br />
<br />
<br />
|National_Law_Name_1=Articles 3(1), 3(3)(a), 3(3)(b) of Law 506/2004<br />
|National_Law_Link_1=http://legislatie.just.ro/Public/DetaliiDocument/56973<br />
|National_Law_Name_2=Articles 3(1), 3(3)(a) and 3(3)(b) of Law no. 506/2004<br />
|National_Law_Link_2=http://legislatie.just.ro/Public/DetaliiDocument/56973<br />
<br />
|Party_Name_1=VODAFONE România S.A.<br />
|Party_Link_1=https://www.vodafone.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
Vodafone Romania was sanctioned approx €2,900 for failing to implement sufficient technical and organisational measures which led to the unauthorised access and disclosure of personal data belonging to 70 natural persons. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Romanian DPA started an investigation after the controller Vodafone Romania notified several security incidents that involved personal data. <br />
<br />
One of the incidents led to the unauthorised access and disclosure of personal data belonging to 6 data subjects, while their contracts were sent via email to the wrong recipients and the controller's employees obtained unauthorised access to the individuals' data between 16.11.2020 - 18.05.2021. The investigation found that the controller did not implement sufficient technical and organisational measures to ensure that any person acting under its authority with access to personal data will act according to the controller's instructions - GDPR Article 32(4). The controller also failed to implement necessary measures meant to ensure the confidentiality of data -GDPR Article 32(1)(b).<br />
<br />
Another incident that occurred between 04.11.2020 and 22.06.2021, allowed the controller's employees to have unauthorised access to personal data belonging to 64 individuals. The DPA found that the controller did not implement sufficient technical and organisational measures to ensure that personal data will be accessed only by the authorised employees (Article 3(3)(a) of Law no. 506/2004), failing to ensure protection against unlawful processing, access and disclosure (Article 3(3)(b) of Law no. 506/2004). <br />
<br />
=== Holding ===<br />
As such, the Romanian DPA found a violation of two legal acts concerning the security of processing:<br />
- Article 32(1)(b) and 32(4) of GDPR, and<br />
- Article 3(1), 3(3)(a) and 3(3)(b) of the national Law no. 506/2004.<br />
<br />
The GDPR violation was sanctioned with a fine of approx €1,500 (RON 7,421.25) and the violation of the national Law no. 506/2004 with a fine of approx €1,400 (RON 7,000).<br />
<br />
== Comment ==<br />
(1) In Romania, there are two parallel provisions that require a controller to implement security measures: Article 32 of the GDPR and Article 3 of Law no. 506/2004. The latter is the transposition of the E-Privacy Directive's Article 4.<br />
<br />
(2) This is the second time Vodafone Romania is sanctioned for not taking the necessary measures to prevent a data breach, more specifically when individuals' data is wrongfully sent to different recipients (the first fine regarding such a violation is summarised on GDPRhub - Fine against Vodafone România S.A. 4).<br />
Furthermore, Vodafone Romania has been constantly fined for GDPR/privacy-related violations (out of which 4 other decisions are available on GDPRhub). However, each fine is considerably lower compared to Vodafone's global turnover and consequently, it doesn't have a visible effect on the controller's ways of processing personal data.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
11.11.2021 & # 13;<br />
Sanction for violating RGPD & # 13;<br />
& # 13;<br />
In October 2021, the National Supervisory Authority completed an investigation at the operator VODAFONE Romania S.A. and found a violation of the provisions of art. 32 para. (1) lit. b) and para. (4) of the General Regulation on Data Protection (RGPD), as well as the violation of the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector. & # 13;<br />
Operator S.A. was fined as follows: & # 13;<br />
- fine in the amount of 7,421.25 lei, the equivalent of 1,500 EURO, for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the RGPD; & # 13;<br />
- fine in the amount of 7,000 lei for violating the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no. 506/2004 & # 13;<br />
The investigation was initiated following the submission by the controller of several notifications of personal data breaches under the General Data Protection Regulation or Regulation (EU) No 1095/2010. 611/2013. & # 13;<br />
With regard to security breaches notified under the RGPD, the National Supervisory Authority found that the operator did not implement adequate technical and organizational measures to ensure that any natural person acting under the authority of the operator or the person authorized by the operator and having access to personal data shall be processed only at the request of the controller unless this obligation is incumbent on him under Union or national law and to ensure a level of security appropriate to the risk of the processing, including the ability to ensure the confidentiality of the data. 13;<br />
This situation led to unauthorized disclosure and / or unauthorized access to the personal data of a number of 6 individuals, between 16 November 2020 - 18 May 2021 (transmission of service contracts to erroneous e-mail addresses, unauthorized access of the operator's employees to the personal data of Vodafone customers without any requests from them). & # 13;<br />
With regard to security breaches notified under Regulation (EU) no. 611/2013, the National Supervisory Authority found that the operator did not implement adequate technical and organizational measures to ensure the security of personal data processing, to ensure that personal data can be accessed only by persons authorized for the purposes authorized by law and protect personal data stored or transmitted against unlawful processing, access or disclosure. & # 13;<br />
Thus, the operator processed the personal data of 64 individuals by unauthorized access to their data by the operator's employees between November 4, 2020 - June 22, 2021. & # 13;<br />
& # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_IKEA_ROM%C3%82NIA_SA&diff=21118ANSPDCP (Romania) - Fine against IKEA ROMÂNIA SA2021-11-03T00:05:42Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against IKEA ROMÂNIA SA<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_01_11_2021_2&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=14.10.2021<br />
|Date_Published=01.11.2021<br />
|Year=2021<br />
|Fine=1000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=Article 32(2) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#2<br />
<br />
<br />
<br />
|Party_Name_1=IKEA ROMÂNIA SA<br />
|Party_Link_1=https://www.ikea.com/ro/ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
Ikea Romania was fined approx €1,000 for a data breach where personal data was erroneously made available online on an Ikea members' platform. The incident affected the personal data of 114 data subjects, half of which were minors. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The controller Ikea Romania organised a drawing contest for the children of 'Ikea Family' members. To join the contest, the legal guardians of the children had to upload the drawings, their personal data, and their children's personal data on a dedicated platform. <br />
<br />
To vote for the contest winner, Ikea had to make public the drawings but erroneously also published the personal data of the participants (children and their legal guardians). <br />
<br />
This even has been notified to the Romanian DPA as a data breach.<br />
<br />
=== Holding ===<br />
The Romanian DPA started an investigation and found that the personal data of 114 data subjects (out of which half were minors) was erroneously published and left available online for 40 hours on the dedicated platform for 'Ikea Family' members. This event affected the confidentiality of the personal data, in breach of GDPR Articles 32(1)b and 32(2), and led to a fine against Ikea Romania of approx €1,000 (RON 4948.8).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
01.11.2021 & # 13;<br />
RGPD & # 13;<br />
& # 13;<br />
The National Supervisory Authority completed on 14.10.2021 an investigation at the operator IKEA ROMANIA SA, following which it was found the violation of the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation. & # 13;<br />
As such, the operator was sanctioned with a fine of 4948.80 lei (equivalent to 1,000 EURO). & # 13;<br />
The investigation was started as a result of the transmission by IKEA ROMANIA SA to the National Authority for the Supervision of Personal Data Processing of a notification of personal data security breach. & # 13;<br />
Thus, according to the mentions in the notification form, IKEA ROMANIA SA organized a drawing contest in which the children of IKEA Family members participated. The participants uploaded in the online platform dedicated to the members their own drawings, together with the participation forms, which contained their personal data but also that of the parents / legal guardians, including their consent. In order to vote for the best drawing, the children's drawings were published on the online platform, by mistake, together with the personal data included in the participation forms. & # 13;<br />
At the time of the investigation, it was found that the security incident led to the unauthorized disclosure of personal data of IKEA Family members (name, surname and age of minors, name, surname, city, country, e-mail, membership number IKEA Family and the handwritten signature of the parent / legal guardian), on the online platform dedicated to IKEA Family members in Romania, accessible only to them, for about 40 hours, affecting a number of 114 individuals (half of them minors) . & # 13;<br />
As such, it was found that this incident led to the compromise of data confidentiality, in violation of the provisions of art. 32 para. (1) lit. b) and para. (2) of the RGPD. & # 13;<br />
In this context, we emphasize that, according to recital 38 of the RGPD, “Children need specific protection of their personal data, as they may be less aware of the risks, consequences, safeguards involved and their rights regarding the processing. personal data. This specific protection should apply in particular to the use of children's personal data for marketing purposes or to the creation of personality or user profiles and to the collection of personal data concerning children when using services provided directly to children. "& # 13;<br />
& # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_S.P.E.E.H._Hidroelectrica_S.A.&diff=21117ANSPDCP (Romania) - Fine against S.P.E.E.H. Hidroelectrica S.A.2021-11-02T23:04:44Z<p>DianaR: formating</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against S.P.E.E.H. Hidroelectrica S.A.<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_01_11_2021_1&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=01.10.2021<br />
|Date_Published=01.11.2021<br />
|Year=2021<br />
|Fine=5000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 6(1) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1<br />
|GDPR_Article_3=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#1b<br />
|GDPR_Article_4=Article 32(2) GDPR<br />
|GDPR_Article_Link_4=Article 32 GDPR#2<br />
<br />
<br />
<br />
|Party_Name_1=S.P.E.E.H. Hidroelectrica S.A.<br />
|Party_Link_1=https://www.hidroelectrica.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller approx €5.000, issued a warning and applied two corrective measures, as sanctions for a data breach and for processing personal data without a legal base, in breach of GDPR Articles 32(1)b, 32(2), 5(1)a and 6(1).<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
During a data breach, the controller S.P.E.E.H. Hidroelectrica S.A. (a supplier of hydroelectricity) erroneously sent the personal data of 325 data subjects to the wrong recipients. The data breach has been reported to the Romanian DPA. <br />
<br />
Additionally to the data breach, during the investigation, it was revealed that the controller processed the personal data of 3 data subjects who previously exercised their erasure right and withdrawn their consent for the processing.<br />
<br />
=== Holding ===<br />
The Romanian DPA completed an investigation and found a breach of several GDPR articles, for which it sanctioned the controller as follows: <br />
<br />
- a fine of approx €5,000 (RON 24,739.50) for breaching the Articles 32(1)b and 32(2); <br />
<br />
- a warning for breaching the Articles 5(1)a and 6(1); <br />
<br />
- a corrective measure ordering the controller to update its technical and organisational measures to ensure a level of security appropriate to the risk of processing; <br />
<br />
- a corrective measure ordering the controller to implement a measure that will guarantee personal data is accurate and updated according to the purpose of processing. <br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
01.11.2021 & # 13;<br />
Sanction for violating RGPD & # 13;<br />
& # 13;<br />
On 01.10.2021, the National Supervisory Authority completed an investigation at the S.P.E.E.H. Hidroelectrica S.A. and found a violation of the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Regulation on Data Protection (RGPD), as well as the violation of the provisions of art. 5 para. (1) lit. a) and of art. 6 para. (1) of the RGPD. & # 13;<br />
The S.P.E.E.H. Hidroelectrica S.A. was fined as follows: & # 13;<br />
- fine in the amount of 24,739.50 lei, the equivalent of 5,000 EURO, for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the RGPD; & # 13;<br />
- warning, for violating the provisions of art. 5 para. (1) lit. a) and of art. 6 para. (1) of the RGPD. & # 13;<br />
The investigation was initiated as a result of the transmission by the operator of several notifications of personal data breach. & # 13;<br />
The national supervisory authority found that the operator did not implement adequate technical and organizational measures in order to ensure a level of security appropriate to the risk presented by the processing. & # 13;<br />
This situation has led to the access or illicit disclosure to erroneous recipients of the personal data of a number of 325 individuals. & # 13;<br />
Also, the operator processed the personal data of 3 individuals, own customers, after exercising the right to delete data and withdrawing consent for data processing by them. Thus, the processing was performed without the existence of one of the legal grounds provided by art. 6 para. (1) of the RGPD, although the operator had the obligation to process the data legally, fairly and transparently to the data subject. & # 13;<br />
At the same time, the following corrective measures were applied to the operator: & # 13;<br />
- reviewing and updating the technical and organizational measures implemented following the risk assessment for the rights and freedoms of individuals, including working procedures on the protection of personal data, and the implementation of measures on the regular training of persons acting under its authority, regarding the obligations incumbent on them according to the provisions of the RGPD, including regarding the risks involved in the processing of personal data, depending on the specifics of the activity; & # 13;<br />
- identifying and implementing measures to ensure that the personal data processed are accurate and up-to-date, taking into account the purposes for which they are processed, including the record of the exercise by data subjects of the right to the deletion of personal data. & # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_S.P.E.E.H._Hidroelectrica_S.A.&diff=21116ANSPDCP (Romania) - Fine against S.P.E.E.H. Hidroelectrica S.A.2021-11-02T23:03:30Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against S.P.E.E.H. Hidroelectrica S.A.<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_01_11_2021_1&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=01.10.2021<br />
|Date_Published=01.11.2021<br />
|Year=2021<br />
|Fine=5000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 6(1) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1<br />
|GDPR_Article_3=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#1b<br />
|GDPR_Article_4=Article 32(2) GDPR<br />
|GDPR_Article_Link_4=Article 32 GDPR#2<br />
<br />
<br />
<br />
|Party_Name_1=S.P.E.E.H. Hidroelectrica S.A.<br />
|Party_Link_1=https://www.hidroelectrica.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller approx €5.000, issued a warning and applied two corrective measures, as sanctions for a data breach and for processing personal data without a legal base, in breach of GDPR Articles 32(1)b, 32(2), 5(1)a and 6(1).<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
During a data breach, the controller S.P.E.E.H. Hidroelectrica S.A. (a supplier of hydroelectricity) erroneously sent the personal data of 325 data subjects to the wrong recipients. The data breach has been reported to the Romanian DPA. <br />
<br />
Additionally to the data breach, during the investigation, it was revealed that the controller processed the personal data of 3 data subjects who previously exercised their erasure right and withdrawn their consent for the processing.<br />
<br />
=== Holding ===<br />
The Romanian DPA completed an investigation and found a breach of several GDPR articles, for which it sanctioned the controller as follows: <br />
- a fine of approx €5,000 (RON 24,739.50) for breaching the Articles 32(1)b and 32(2);<br />
- a warning for breaching the Articles 5(1)a and 6(1);<br />
- a corrective measure ordering the controller to update its technical and organisational measures to ensure a level of security appropriate to the risk of processing;<br />
- a corrective measure ordering the controller to implement a measure that will guarantee personal data is accurate and updated according to the purpose of processing.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
01.11.2021 & # 13;<br />
Sanction for violating RGPD & # 13;<br />
& # 13;<br />
On 01.10.2021, the National Supervisory Authority completed an investigation at the S.P.E.E.H. Hidroelectrica S.A. and found a violation of the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Regulation on Data Protection (RGPD), as well as the violation of the provisions of art. 5 para. (1) lit. a) and of art. 6 para. (1) of the RGPD. & # 13;<br />
The S.P.E.E.H. Hidroelectrica S.A. was fined as follows: & # 13;<br />
- fine in the amount of 24,739.50 lei, the equivalent of 5,000 EURO, for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the RGPD; & # 13;<br />
- warning, for violating the provisions of art. 5 para. (1) lit. a) and of art. 6 para. (1) of the RGPD. & # 13;<br />
The investigation was initiated as a result of the transmission by the operator of several notifications of personal data breach. & # 13;<br />
The national supervisory authority found that the operator did not implement adequate technical and organizational measures in order to ensure a level of security appropriate to the risk presented by the processing. & # 13;<br />
This situation has led to the access or illicit disclosure to erroneous recipients of the personal data of a number of 325 individuals. & # 13;<br />
Also, the operator processed the personal data of 3 individuals, own customers, after exercising the right to delete data and withdrawing consent for data processing by them. Thus, the processing was performed without the existence of one of the legal grounds provided by art. 6 para. (1) of the RGPD, although the operator had the obligation to process the data legally, fairly and transparently to the data subject. & # 13;<br />
At the same time, the following corrective measures were applied to the operator: & # 13;<br />
- reviewing and updating the technical and organizational measures implemented following the risk assessment for the rights and freedoms of individuals, including working procedures on the protection of personal data, and the implementation of measures on the regular training of persons acting under its authority, regarding the obligations incumbent on them according to the provisions of the RGPD, including regarding the risks involved in the processing of personal data, depending on the specifics of the activity; & # 13;<br />
- identifying and implementing measures to ensure that the personal data processed are accurate and up-to-date, taking into account the purposes for which they are processed, including the record of the exercise by data subjects of the right to the deletion of personal data. & # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Glove_Technology_SRL&diff=20967ANSPDCP (Romania) - Fine against Glove Technology SRL2021-10-24T18:23:16Z<p>DianaR: added a comma in the fine amount (24745 -> 24,745)</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Glove Technology SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_21.10.2021_2&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=23.09.2021<br />
|Date_Published=21.10.2021<br />
|Year=2021<br />
|Fine=24,745<br />
|Currency=RON<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 6(1) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1<br />
|GDPR_Article_3=Article 58(1)(a) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#1a<br />
<br />
<br />
<br />
|Party_Name_1=Glove Technology SRL<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller approximately €5,000 (RON 24,745) after it used CCTV systems to surveil its employees, record their conversations and use the recordings against them, in breach of Article 5(1) and 6(1) of the GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After a data subject filed a complaint, the Romanian DPA started an investigation against the controller Glove Technology SRL. The investigation revealed that the controller used CCTV cameras inside its offices to surveil its employees and record their conversations with the intention to use the recorded files against them.<br />
<br />
=== Holding ===<br />
The Romanian DPA found that the surveillance took place without a legal base as required by the GDPR's Article 6(1) and breached the lawfulness, fairness and transparency principle [GDPR's Article 5(1)]. As result, the controller was fined approximately €5,000 (RON 24,745) and, based on GDPR's Article 58(2), the DPA required the controller to ensure its privacy compliance for future CCTV surveillance, stop any data processing that was made through uncompliant CCTV systems and delete any subsequent data that might have been collected unlawfully through the CCTV systems. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
21.10.2021 & # 13;<br />
Sanction for violating RGPD & # 13;<br />
& # 13;<br />
The National Supervisory Authority completed, on 23.09.2021, an investigation at the operator Glove Technology SRL, following which it was found the violation of the provisions of art. 5 para. (1) lit. a) reported to art. 6 para. (1) of the General Regulation on Data Protection, the operator being sanctioned with a fine in the amount of 24,745.00 lei (equivalent to 5,000 EURO). & # 13;<br />
The sanction was granted because it was found that the operator processed personal data of its employees by using an audio-video system (image and voice), without proving compliance with the legal grounds provided by art. 6 para. (1) of the RGPD, respectively obtaining the consent of the data subjects, fulfilling a legal obligation or the prevalence of its legitimate interest over the interests, rights and freedoms of the data subjects. & # 13;<br />
It was also found that the operator took the measure of monitoring employees at work through audio-video surveillance systems without complying with the first principle established by art. 5 para. (1) lit. a) of the RGPD, according to which the operator has the obligation to process the data legally, equitably and transparently towards the data subject. & # 13;<br />
At the same time, pursuant to art. 58 para. (2) lit. d) of the RGPD, the corrective measure was ordered against the operator to ensure the conformity of the processing operations performed using audio-video systems, as well as the cessation of any operation or set of personal data processing operations performed via audio-video systems. video and deletion of the personal data record system established as a result of the use of such systems. & # 13;<br />
The investigation was started as a result of a notification, which indicated that the operator Glove Technology SRL has installed some audio-video surveillance cameras inside the offices, for direct surveillance of employees at work where they work and record discussions between they, for the purpose of their subsequent use against those employees. & # 13;<br />
In this context, we emphasize that, insofar as an employer uses monitoring systems by means of video surveillance at work, the processing of personal data of employees in order to achieve the legitimate interests of the employer (art. 6 para. 1 letter f) of the RGPD) is carried out in compliance with the provisions of art. 5 of Law no. 190/2018 which establish, as a first condition, that the legitimate interests pursued by the employer are duly justified and prevail over the interests or rights and freedoms of the persons concerned. & # 13;<br />
& # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Glove_Technology_SRL&diff=20966ANSPDCP (Romania) - Fine against Glove Technology SRL2021-10-24T18:20:37Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Glove Technology SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_21.10.2021_2&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=23.09.2021<br />
|Date_Published=21.10.2021<br />
|Year=2021<br />
|Fine=24745<br />
|Currency=RON<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 6(1) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1<br />
|GDPR_Article_3=Article 58(1)(a) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#1a<br />
<br />
<br />
<br />
|Party_Name_1=Glove Technology SRL<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller approximately €5,000 (RON 24,745) after it used CCTV systems to surveil its employees, record their conversations and use the recordings against them, in breach of Article 5(1) and 6(1) of the GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After a data subject filed a complaint, the Romanian DPA started an investigation against the controller Glove Technology SRL. The investigation revealed that the controller used CCTV cameras inside its offices to surveil its employees and record their conversations with the intention to use the recorded files against them.<br />
<br />
=== Holding ===<br />
The Romanian DPA found that the surveillance took place without a legal base as required by the GDPR's Article 6(1) and breached the lawfulness, fairness and transparency principle [GDPR's Article 5(1)]. As result, the controller was fined approximately €5,000 (RON 24,745) and, based on GDPR's Article 58(2), the DPA required the controller to ensure its privacy compliance for future CCTV surveillance, stop any data processing that was made through uncompliant CCTV systems and delete any subsequent data that might have been collected unlawfully through the CCTV systems. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
21.10.2021 & # 13;<br />
Sanction for violating RGPD & # 13;<br />
& # 13;<br />
The National Supervisory Authority completed, on 23.09.2021, an investigation at the operator Glove Technology SRL, following which it was found the violation of the provisions of art. 5 para. (1) lit. a) reported to art. 6 para. (1) of the General Regulation on Data Protection, the operator being sanctioned with a fine in the amount of 24,745.00 lei (equivalent to 5,000 EURO). & # 13;<br />
The sanction was granted because it was found that the operator processed personal data of its employees by using an audio-video system (image and voice), without proving compliance with the legal grounds provided by art. 6 para. (1) of the RGPD, respectively obtaining the consent of the data subjects, fulfilling a legal obligation or the prevalence of its legitimate interest over the interests, rights and freedoms of the data subjects. & # 13;<br />
It was also found that the operator took the measure of monitoring employees at work through audio-video surveillance systems without complying with the first principle established by art. 5 para. (1) lit. a) of the RGPD, according to which the operator has the obligation to process the data legally, equitably and transparently towards the data subject. & # 13;<br />
At the same time, pursuant to art. 58 para. (2) lit. d) of the RGPD, the corrective measure was ordered against the operator to ensure the conformity of the processing operations performed using audio-video systems, as well as the cessation of any operation or set of personal data processing operations performed via audio-video systems. video and deletion of the personal data record system established as a result of the use of such systems. & # 13;<br />
The investigation was started as a result of a notification, which indicated that the operator Glove Technology SRL has installed some audio-video surveillance cameras inside the offices, for direct surveillance of employees at work where they work and record discussions between they, for the purpose of their subsequent use against those employees. & # 13;<br />
In this context, we emphasize that, insofar as an employer uses monitoring systems by means of video surveillance at work, the processing of personal data of employees in order to achieve the legitimate interests of the employer (art. 6 para. 1 letter f) of the RGPD) is carried out in compliance with the provisions of art. 5 of Law no. 190/2018 which establish, as a first condition, that the legitimate interests pursued by the employer are duly justified and prevail over the interests or rights and freedoms of the persons concerned. & # 13;<br />
& # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Actamedica_SRL&diff=18854ANSPDCP (Romania) - Actamedica SRL2021-08-31T16:48:55Z<p>DianaR: Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against Actamedica SRL<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_24_08_2021&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=24.08.2021<br />
|Year=2021<br />
|Fine=3000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 12(3) GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR#3<br />
|GDPR_Article_2=Article 15(1) GDPR<br />
|GDPR_Article_Link_2=Article 15 GDPR#1<br />
|GDPR_Article_3=Article 28 GDPR<br />
|GDPR_Article_Link_3=Article 28 GDPR<br />
|GDPR_Article_4=Article 32 GDPR<br />
|GDPR_Article_Link_4=Article 32 GDPR<br />
|GDPR_Article_5=Article 33 GDPR<br />
|GDPR_Article_Link_5=Article 33 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=Actamedica SRL<br />
|Party_Link_1=https://lotuslife.ro/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller €3,000 for failing to implement appropriate technical and organisational measures which lead to a security incident losing a Data Subject's biological samples. Additionally, the controller failed to notify the national DPA about the incident and to answer the Data Subject request with details about their exposed data. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After a complaint from a Data Subject, the Romanian DPA started an investigation against the controller Actamedica SRL. The investigation found that the controller, a medical centre, has previously informed the Data Subject about losing their biological samples and a sum of money sent by courier. When the Data Subject sent a request asking which other personal data has been exposed and if the national DPA has been notified, the controller suggested the Data Subject to contact the company lawyer and address any other complaints with the courier company. <br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
During the investigation, the DPA found that the controller did not take sufficient security measures appropriate to the risk of processing. This lead to a security incident, in breach of art. 28(1) and 32 GDPR, for which the controller was fined RON 9,836.6 (approximately €2,000).<br />
<br />
Additionally, the DPA found that it has not been notified with regards to the security incident, in breach of art. 33 GDPR, for which the controller was fined RON 4,918.3 (approximately €1,000).<br />
<br />
Furthermore, the DPA found that the controller did not respond to the Data Subject's request asking which other personal data has been exposed, in breach of art. 12(3) and 15(1) GDPR, for which the controller has been given a warning. <br />
<br />
Finally, the Romanian DPA applied two corrective measures on the controller, asking it to implement appropriate security measures and to answer the Data Subject request. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
24.08.2021 & # 13;<br />
Sanction for violating RGPD & # 13;<br />
& # 13;<br />
The National Supervisory Authority completed in August 2021 an investigation at the operator Actamedica SRL and found a violation of the provisions of art. 12 para. (3), art. 15 para. (1), art. 28 para. (1), art. 32 and art. 33 of the General Data Protection Regulation. & # 13;<br />
As such, the operator Actamedica SRL was sanctioned for minor offenses: & # 13;<br />
& # 13;<br />
with a fine in the amount of 9836.6 lei (equivalent to 2,000 EURO), for violating art. 28 para. (1) and art. 32 of the General Data Protection Regulation; & # 13;<br />
with a fine in the amount of 4918.3 lei (equivalent to 1,000 EURO) for violating art. 33 of the General Data Protection Regulation; & # 13;<br />
with warning, for violating the provisions of art. 12 para. (3) and art. 15 para. (1) of the General Data Protection Regulation. & # 13;<br />
& # 13;<br />
The investigation was initiated following the receipt of a complaint alleging that Actamedica SRL from Târgu-Mureș sent an information to an individual regarding the loss of his biological samples and a sum of money sent through a courier company, the package reaches the recipient damaged. Upon request to be informed what personal data were exposed to him on this occasion and if ANSPDCP was notified in connection with this incident, in the reply sent the operator indicated to the natural person the contact details of the company's lawyer and an e-mail address. from the courier company to which to express their "wishes". & # 13;<br />
During the investigation launched, the National Supervisory Authority found that Actamedica SRL did not adopt sufficient security measures, according to art. 28 para. (1) and 32 of the RGPD, adapted to the nature of the personal data that were subjected to processing, which led to a security incident. In this context, it was found that the provisions of art. 28 para. (1) and art. 32 of the General Data Protection Regulation. & # 13;<br />
Also, the National Supervisory Authority found that the operator did not notify the National Supervisory Authority of the above-mentioned security incident, thus violating the provisions of art. 33 of the General Data Protection Regulation. & # 13;<br />
On the same occasion, the National Supervisory Authority noted that Actamedica SRL did not present evidence showing that it communicated a response to the postal address of the individual concerned regarding the categories of personal data that were exposed to him during the incident. respectively, related to the express request sent. Therefore, it was found that the provisions of art. 12 para. (3) and 15 para. (1) of the General Data Protection Regulation. & # 13;<br />
The following corrective measures were also applied to the operator: & # 13;<br />
& # 13;<br />
corrective action to ensure compliance of the General Data Protection Regulation with personal data processing operations, by implementing technical and organizational security measures appropriate to the specifics of the processing and the risks identified, throughout the data processing cycle, including the selection of empowered persons to provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing complies with the requirements of the Regulation and ensures the protection of the rights of data subjects; & # 13;<br />
the corrective measure to respond to the request of the data subject, regarding the categories of personal data concerned by the occurrence of the security incident, following to communicate the answer to the postal address indicated in the request. & # 13;<br />
& # 13;<br />
& # 13;<br />
Legal and Communication Department & # 13;<br />
A.N.S.P.D.C.P.<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_a_natural_person&diff=17709ANSPDCP (Romania) - Fine against a natural person2021-08-03T21:07:36Z<p>DianaR: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against a natural person<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_30_07_2021&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=30.07.2021<br />
|Year=2021<br />
|Fine=200<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1b<br />
|GDPR_Article_2=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1a<br />
|GDPR_Article_3=Article 5(2) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#2<br />
|GDPR_Article_4=Article 6(1) GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR#1<br />
|GDPR_Article_5=Article 14(1) GDPR<br />
|GDPR_Article_Link_5=Article 14 GDPR#1<br />
|GDPR_Article_6=Article 14(2) GDPR<br />
|GDPR_Article_Link_6=Article 14 GDPR#2<br />
|GDPR_Article_7=Article 14(3) GDPR<br />
|GDPR_Article_Link_7=Article 14 GDPR#3<br />
|GDPR_Article_8=Article 14(4) GDPR<br />
|GDPR_Article_Link_8=Article 14 GDPR#4<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a natural person approximately €200 (RON 985.5) for publicly sharing on Facebook and distributing flyers containing personal data, including a child's data. The natural person was considered a controller for sharing copies of payslips and records from a kindergarten, in breach of Articles 5, 6 and 14 of the GDPR. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Copies of a data subject's payslips and registration records of a kindergarten were shared by a natural person on their Facebook profile and distributed through flyers. <br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
Following several complaints, the DPA started an investigation and decided that the natural person was a controller unlawfully processing personal data, including a child's data, in breach of Articles 5, 6 and 14 of the GDPR. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
The National Supervisory Authority completed an investigation of a natural person and found the commission of two contraventions by violating the provisions of art. 5 para. (1) lit. a) and b) and par. (2), referred to in art. 6 para. (1), as well as the provisions of art. 14 para. (1) - (4) of the General Data Protection Regulation.<br />
<br />
As such, the natural person, as a controller, was sanctioned:<br />
<br />
- with a fine, in the amount of 492.75 lei (equivalent to 100 EURO) for violating art. 5 para. (1) lit. a) and b) and par. (2) of the GDPR and of art. 6 para. (1) of the GDPR;<br />
<br />
- with a fine, in the amount of 492.75 lei (equivalent to 100 EURO) for violating art. 14 para. (1) - (4) of the GDPR.<br />
<br />
The investigation was initiated following the receipt of several complaints.<br />
<br />
Thus, the controller was complained about the fact that, by distributing some materials within the households in the commune and by posting on his personal Facebook account, he revealed personal data, on the one hand, of an individual by broadcasting a photo of the payslip that belonged to her and, on the other hand, revealed personal data of the minor son of another data subject, contained in a photograph of a file from the Register of children enrolled in the Kindergarten with Normal Program in that commune.<br />
<br />
As a result of the investigation, the National Supervisory Authority found that the controller did not present evidence to show that he had legally processed the personal data contained in the payslip of the data subject (name, surname, CNP, place of employment). work, position, salary), thus violating the principles of personal data processing provided in art. 5 para. (1) lit. a) and b) and par. (2) of the GDPR and the provisions of art. 6 para. (1) of the GDPR.<br />
<br />
At the same time, the controller did not present evidence showing that he provided information to the data subjects about the processing of personal data contained in the tab photographed in the Register of children enrolled in Kindergarten with Normal Program (name and surname of the minor son of the data subject), thus violating the provisions of art. 14 para. (1) - (4) of the GDPR.<br />
</pre></div>DianaRhttps://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_La_Santrade_S.R.L.&diff=16686ANSPDCP (Romania) - Fine against La Santrade S.R.L.2021-06-22T11:16:40Z<p>DianaR: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP (Romania)<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Fine against La Santrade S.R.L.<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ANSPDCP<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_16_06_2021&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=16.06.2021<br />
|Year=2021<br />
|Fine=9.839,4<br />
|Currency=RON<br />
<br />
|GDPR_Article_1=Article 12(2) GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR#2<br />
|GDPR_Article_2=Article 12(3) GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR#3<br />
|GDPR_Article_3=Article 17 GDPR<br />
|GDPR_Article_Link_3=Article 17 GDPR<br />
|GDPR_Article_4=Article 83(5)(e) GDPR<br />
|GDPR_Article_Link_4=Article 83 GDPR#5e<br />
|GDPR_Article_5=Article 83(5)(b) GDPR<br />
|GDPR_Article_Link_5=Article 83 GDPR#5b<br />
<br />
<br />
<br />
|Party_Name_1=La Santrade S.R.L.<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Diana Rosu<br />
|<br />
}}<br />
<br />
The Romanian DPA fined a controller approximately €2.000 (RON 9.839,4) for failing to cooperate with the DPA during an investigation by not providing it with the information it had requested. The same controller received a warning for not fulfilling a data deletion request.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After a Data Subject made a data deletion request, the controller La Santrade S.R.L. did not take necessary measures in order to fulfil the request and did not respect Data Subject's rights, breaching Article 12(2) and (3) GDPR. Additionally, during the DPA's investigation, the controller did not provide it with the information it had requested.<br />
<br />
=== Holding ===<br />
The controller was fined approximately €2.000 (RON 9.839,4) for not responding to the DPA's request to provide information, in violation of [[Article 85 GDPR#3e|Article 85(3)(e) GDPR]], received a warning for not respecting Data Subject's rights, in violation of [[Article 85 GDPR#3b|Article 85(3)(b) GDPR]] and was ordered to inform the Complainant Data Subject regarding the measures adopted to delete their data, as well as to implement sufficient measures that will facilitate the enforcement of Data Subject's rights. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
The National Supervisory Authority completed, in June 2021, an investigation at the controller La Santrade S.R.L. and found a violation of the provisions of art. 83 para. (5) lit. e) of the General Regulation on Data Protection and violation of the provisions of art. 83 para. (5) lit. b) of the General Regulation on Data Protection.<br />
<br />
As such, the controller La Santrade S.R.L. was sanctioned:<br />
<br />
- with a fine in the amount of 9,839.4 RON (equivalent to 2,000 EURO) for violating art. 83 para. (5) lit. e) of the General Regulation on Data Protection, regarding the obligation of the controller to provide the necessary information to the National Supervisory Authority;<br />
- with a warning, for violating the provisions of art. 83 para. (5) lit. b) of the General Regulation on Data Protection, regarding the non-observance of the data subject's rights.<br />
<br />
In the investigation initiated following a complaint, La Santrade S.R.L. did not comply with the request for information addressed by the National Supervisory Authority in the exercise of its powers, thus violating the provisions of art. 83 para. (5) lit. e) of the General Regulation on Data Protection.<br />
<br />
Also, the National Supervisory Authority found that the controller did not adopt measures to ensure the effective exercise of the rights of data subjects, which led to failure to resolve the request of the data subject requesting the deletion of his personal data (right provided by art. 17 of the General Data Protection Regulation). In this context, it was found that the provisions of art. 12 para. (2) and (3) of the General Data Protection Regulation.<br />
<br />
Two corrective measures were also applied:<br />
<br />
- the corrective action to inform the data subject of the measures taken to delete his or her data, collected without his or her express consent;<br />
- corrective action to facilitate the exercise of the rights of data subjects, by providing valid contact details, including a functional e-mail address, which will be made public on the controller's website in the sections on personal data processing, policy privacy, contact details.<br />
</pre></div>DianaR