ANSPDCP (Romania) - Fine against CDI Transport: Difference between revisions
No edit summary |
|||
(3 intermediate revisions by 2 users not shown) | |||
Line 65: | Line 65: | ||
}} | }} | ||
The Romanian DPA issued a warning | The Romanian DPA issued a warning to a passenger transportation company for an insufficient privacy statement on its website and ordered it to rectify the situation. The DPA further fined the company €7,000 for its lack of collaboration during the investigation. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Following a complaint filed by a data subject, the Romanian DPA started an investigation against CDI Transport, a passenger transport company (controller). The data subject complained that the controller's website did not include all the necessary information | Following a complaint filed by a data subject, the Romanian DPA started an investigation against CDI Transport, a passenger transport company (controller). The data subject complained that the controller's website did not include all the necessary information in its privacy policy required by the GDPR. | ||
During the investigation, the company did not answer the DPA's request within the legal term. | During the investigation, the company did not answer the DPA's request within the legal term. | ||
Line 79: | Line 79: | ||
As a result, the DPA held that the controller violated [[Article 12 GDPR#1|Article 12(1) GDPR]]. The DPA issued a warning against the controller and ordered it to ensure that the infromation required by [[Article 12 GDPR]] would be communicated in a concise, transparent and easily accessible manner. | As a result, the DPA held that the controller violated [[Article 12 GDPR#1|Article 12(1) GDPR]]. The DPA issued a warning against the controller and ordered it to ensure that the infromation required by [[Article 12 GDPR]] would be communicated in a concise, transparent and easily accessible manner. | ||
In addition, the DPA fined the controller €7 | In addition, the DPA fined the controller €7,000 for its lack of collaboration during the investigation. The controller neglegted to answer the DPA's request for information within the legal term, in violation of [[Article 58 GDPR#1a|Article 58(1)(a)]] and [[Article 58 GDPR#1e|(e) GDPR]]. | ||
== Comment == | == Comment == | ||
'' | ''The Romanian DPA rarely published full decisions. This summary is based on a press release of the Romanian DPA.'' | ||
== Further Resources == | == Further Resources == |
Latest revision as of 15:33, 24 August 2022
ANSPDCP - Fine against CDI Transport | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 12(1) GDPR Article 58(1)(a) GDPR Article 58(1)(e) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 09.08.2022 |
Fine: | 7000 EUR |
Parties: | CDI Transport Intern și Internațional SRL |
National Case Number/Name: | Fine against CDI Transport |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | Diana Rosu |
The Romanian DPA issued a warning to a passenger transportation company for an insufficient privacy statement on its website and ordered it to rectify the situation. The DPA further fined the company €7,000 for its lack of collaboration during the investigation.
English Summary
Facts
Following a complaint filed by a data subject, the Romanian DPA started an investigation against CDI Transport, a passenger transport company (controller). The data subject complained that the controller's website did not include all the necessary information in its privacy policy required by the GDPR.
During the investigation, the company did not answer the DPA's request within the legal term.
Holding
The DPA found that the controller did not clearly inform the data subjects visiting its website about the personal data it processed, as the information required by Article 12-22 GDPR was not published on the website. This included information about the purpose of processing personal data, the legal basis, the controller's contact details, the retention period and the possibility for data subjects to exercise their rights.
As a result, the DPA held that the controller violated Article 12(1) GDPR. The DPA issued a warning against the controller and ordered it to ensure that the infromation required by Article 12 GDPR would be communicated in a concise, transparent and easily accessible manner.
In addition, the DPA fined the controller €7,000 for its lack of collaboration during the investigation. The controller neglegted to answer the DPA's request for information within the legal term, in violation of Article 58(1)(a) and (e) GDPR.
Comment
The Romanian DPA rarely published full decisions. This summary is based on a press release of the Romanian DPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
08/09/2022 Penalty for GDPR violation In June 2022, the National Supervisory Authority completed an investigation at the operator CDI Transport Intern si Internazionale SRL and found a violation of the provisions of art. 58 para. (1) lit. a) and e) and art. 12 para. (1) of the General Data Protection Regulation. As such, the operator was penalized: with a fine of 34,630.40 lei, (the equivalent of 7000 EURO), for violating the provisions of art. 58 para. (1) lit. a) and e) of the General Data Protection Regulation; with a warning, for violating the provisions of art. 12 para. (1) of the General Data Protection Regulation. The investigation was started as a result of a notification that it was reported that on the company's website there is no information on the method of collecting personal data, regarding the rights provided for in art. 15-22 of the General Regulation on the Protection of the Data that the data subjects benefit from, regarding the manner of exercising these rights, nor regarding the fact that the operator has the obligation to inform the data subjects in the event of a breach of the security of personal data. During the investigation carried out, as a result of the fact that the operator did not provide the information requested by our institution, within the legal term, a violation of the provisions of art. 58 para. (1) lit. (a) and (e) of the General Data Protection Regulation. At the same time, it was noted that the operator CDI Transport Intern si Internaționale SRL did not provide clear, complete and correct information of the data subjects whose personal data is processed by the company as it did not provide all the information provided by the provisions of art. 12-22 of the General Data Protection Regulation, such as those relating to the purpose of processing and the legal basis, the identity and contact details of the operator, the period for which the data will be stored or the criteria used to establish this period, the conditions for exercising rights. As such, the violation of the provisions of art. 12 para. (1) of the General Data Protection Regulation At the same time, the operator was also ordered to take the corrective measure of ensuring the information of the persons concerned by communicating in a concise, transparent, intelligible and easily accessible form all the information provided by art. 12 of the General Data Protection Regulation. Legal and Communication Department A.N.S.P.D.C.P.