ANSPDCP (Romania) - 24.04.2023: Difference between revisions
m (Ls moved page ANSPDCP (Romania) - Fine against Tensa Art Design SA to ANSPDCP (Romania) 24.04.2023) |
No edit summary |
||
Line 61: | Line 61: | ||
}} | }} | ||
The Romanian DPA investigated Tensa Art Design SA and found that it did not react to a data subject's objection to receiving commercial messages, in violation of [[Article 12 GDPR|Articles 12(3)]] and [[Article 21 GDPR|21 GDPR]]. | The Romanian DPA investigated Tensa Art Design SA and found that it did not react to a data subject's objection to receiving commercial messages, in violation of [[Article 12 GDPR|Articles 12(3)]] and [[Article 21 GDPR|21 GDPR]]. A fine of €1,000 was imposed. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The controller, Tensa Art Design SA, was an optician and merchant for glasses, sunglasses as well as contact lenses. As part of its business the controller was sending commercial messages | The controller, Tensa Art Design SA, was an optician and merchant for glasses, sunglasses as well as contact lenses. As part of its business the controller was sending commercial messages. | ||
A data subject, objected to receiving the commercial messages as foreseen by [[Article 21 GDPR]], by unsubscribing | A data subject, objected to receiving the commercial messages as foreseen by [[Article 21 GDPR]], by unsubscribing from the newsletter service. Yet, the controller continued to send commercial communications to the data subject's phone number via SMS in a frequent manner. Consequently, the data subject filed a complaint with the Romanian DPA, prompting the DPA to investigate the matter. | ||
=== Holding === | === Holding === | ||
The DPA held that the controller's conduct was a violation of the GDPR. Pursuant to [[Article 21 GDPR]] data subjects have the right to object to processing which is done based either on the legal basis of [[Article 6 GDPR|Article 6(1)(e) GDPR]] (public interest) or [[Article 6 GDPR|Article 6(1)(f) GDPR]] (legitimate interest). Moreover, [[Article 21 GDPR|Article 21(2) GDPR]] specifically grants data subjects the right to object to processing for direct marketing purposes. | The DPA held that the controller's conduct was a violation of the GDPR. Pursuant to [[Article 21 GDPR]] data subjects have the right to object to processing which is done based either on the legal basis of [[Article 6 GDPR|Article 6(1)(e) GDPR]] (public interest) or [[Article 6 GDPR|Article 6(1)(f) GDPR]] (legitimate interest). Moreover, [[Article 21 GDPR|Article 21(2) GDPR]] specifically grants data subjects the right to object to processing for direct marketing purposes. | ||
During the investigation, the DPA found that the controller did not present evidence from which it could be concluded that it | During the investigation, the DPA found that the controller did not present evidence from which it could be concluded that it reacted to the request of the data subject in accordance with [[Article 12 GDPR|Article 12(3) GDPR]] and [[Article 21 GDPR]] and did not provide the data subject with an answer, within the month of the request, regarding the measures adopted following the exercise of the right to objection. | ||
The DPA decided that the controller violated [[Article 12 GDPR|Article 12(3)]] and [[Article 21 GDPR]] by not respecting the data subject's objection. Based on its powers pursuant to [[Article 58 GDPR|Article 58(2)(i) GDPR]], the DPA fined the controller €1,000 (RON 4,947.9). Moreover, based on [[Article 58 GDPR|Article 58(2)(d) GDPR]], the DPA ordered the controller to take the necessary measures to modify the existing procedures at the company level and communicate them to the employees, in order to ensure that its processing of personal data respect the rights of data subjects under the GDPR. | The DPA decided that the controller violated [[Article 12 GDPR|Article 12(3)]] and [[Article 21 GDPR]] by not respecting the data subject's objection. Based on its powers pursuant to [[Article 58 GDPR|Article 58(2)(i) GDPR]], the DPA fined the controller €1,000 (RON 4,947.9). Moreover, based on [[Article 58 GDPR|Article 58(2)(d) GDPR]], the DPA ordered the controller to take the necessary measures to modify the existing procedures at the company level and communicate them to the employees, in order to ensure that its processing of personal data respect the rights of data subjects under the GDPR. | ||
== Comment == | == Comment == | ||
Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release. | Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release. Although it is not directly stated in the case, it is strongly suggested that the controller carried out such processing activities on the basis of legitimate interest. | ||
== Further Resources == | == Further Resources == |
Revision as of 09:52, 3 May 2023
ANSPDCP - ANSPDCP 24.04.2023 | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 12(3) GDPR Article 21 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 24.04.2023 |
Fine: | 1000 EUR |
Parties: | n/a |
National Case Number/Name: | ANSPDCP 24.04.2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | carlafilip |
The Romanian DPA investigated Tensa Art Design SA and found that it did not react to a data subject's objection to receiving commercial messages, in violation of Articles 12(3) and 21 GDPR. A fine of €1,000 was imposed.
English Summary
Facts
The controller, Tensa Art Design SA, was an optician and merchant for glasses, sunglasses as well as contact lenses. As part of its business the controller was sending commercial messages.
A data subject, objected to receiving the commercial messages as foreseen by Article 21 GDPR, by unsubscribing from the newsletter service. Yet, the controller continued to send commercial communications to the data subject's phone number via SMS in a frequent manner. Consequently, the data subject filed a complaint with the Romanian DPA, prompting the DPA to investigate the matter.
Holding
The DPA held that the controller's conduct was a violation of the GDPR. Pursuant to Article 21 GDPR data subjects have the right to object to processing which is done based either on the legal basis of Article 6(1)(e) GDPR (public interest) or Article 6(1)(f) GDPR (legitimate interest). Moreover, Article 21(2) GDPR specifically grants data subjects the right to object to processing for direct marketing purposes.
During the investigation, the DPA found that the controller did not present evidence from which it could be concluded that it reacted to the request of the data subject in accordance with Article 12(3) GDPR and Article 21 GDPR and did not provide the data subject with an answer, within the month of the request, regarding the measures adopted following the exercise of the right to objection.
The DPA decided that the controller violated Article 12(3) and Article 21 GDPR by not respecting the data subject's objection. Based on its powers pursuant to Article 58(2)(i) GDPR, the DPA fined the controller €1,000 (RON 4,947.9). Moreover, based on Article 58(2)(d) GDPR, the DPA ordered the controller to take the necessary measures to modify the existing procedures at the company level and communicate them to the employees, in order to ensure that its processing of personal data respect the rights of data subjects under the GDPR.
Comment
Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release. Although it is not directly stated in the case, it is strongly suggested that the controller carried out such processing activities on the basis of legitimate interest.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
24.04.2023 Penalty for GDPR violation In March 2023, the National Supervisory Authority completed an investigation at the operator Tensa Art Design SA and found a violation of the provisions of art. 12 para. (3) and art. 21 of Regulation (EU) 2016/679. As such, the operator was fined 4,947.9 lei (equivalent to 1,000 EURO). The investigation was started as a result of a notification submitted by a concerned person who complained that the operator Tensa Art Design SA was sending him unsolicited messages, although he exercised his right of opposition. During the investigation carried out, it was found that the operator sent unsolicited commercial messages to the person in question, via SMS, repeatedly, although he had previously requested, via e-mail, to unsubscribe from the newsletter service. During the investigation, it was found that the operator Tensa Art Design SA did not present evidence from which it could be concluded that it resolved the request of the person concerned in accordance with the provisions of art. 12 para. (3) related to art. 21 of Regulation (EU) 2016/679 and did not provide her with an answer, within the legal term, regarding the measures adopted following the exercise of the right of opposition. At the same time, as part of the investigation, the operator was also given the corrective measure to take the necessary measures to modify the existing procedures at the company level and bring them to the knowledge of the employees, so that the rights of the persons concerned provided by the Regulation are respected in all cases (EU) 679/2016. Legal and Communication Department A.N.S.P.D.C.P.