ANSPDCP (Romania) - 24.04.2023: Difference between revisions

From GDPRhub
 
(5 intermediate revisions by 3 users not shown)
Line 7: Line 7:
|DPA_With_Country=ANSPDCP (Romania)
|DPA_With_Country=ANSPDCP (Romania)


|Case_Number_Name=Fine against Tensa Art Design SA
|Case_Number_Name= ANSPDCP 24.04.2023
|ECLI=
|ECLI=


Line 61: Line 61:
}}
}}


The Romanian DPA investigated Tensa Art Design SA and found a violation of [[Article 12 GDPR|Articles 12 para. (3)]] and [[Article 21 GDPR|21 GDPR]].
The Romanian DPA investigated Tensa Art Design SA and found that it did not react to a data subject's objection to receiving commercial messages, in violation of [[Article 12 GDPR|Articles 12(3)]] and [[Article 21 GDPR|21 GDPR]]. A fine of €1,000 was imposed.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The controller, Tensa Art Design SA is an optician and merchant for glasses, sunglasses as well as contact lenses. As part of its business, the controller sends out commercial messages. Although it is not directly stated in the case, it is strongly suggested that the controller carries out such pro-cessing activities based on legitimate interest.
The controller, Tensa Art Design SA, was an optician and merchant for glasses, sunglasses as well as contact lenses. As part of its business the controller was sending commercial messages.  


A data subject, as recipient of such commercial messages, objected to receiving such messages as foreseen by [[Article 21 GDPR]], by unsubscribing through email from the newsletter service. Yet, the controller continued to send commercial communications to the data subject's phone number via SMS in a frequent manner. Consequently, the data subject sent a complaint to the Romanian DPA, prompting the DPA to investigate the matter.
A data subject, objected to receiving the commercial messages as foreseen by [[Article 21 GDPR]], by unsubscribing from the newsletter service. Yet, the controller continued to send commercial communications to the data subject's phone number via SMS in a frequent manner. Consequently, the data subject filed a complaint with the Romanian DPA, prompting the DPA to investigate the matter.


=== Holding ===
=== Holding ===
The DPA held that the controller's conduct was a violation of the GDPR. Pursuant to [[Article 21 GDPR]] - the right to object - data subjects have the right to object to processing which is done based either on the legal basis of [[Article 6 GDPR|Article 6(1)(e) GDPR]] - public interest - or the legal basis of [[Article 6 GDPR|Article 6(1)(f) GDPR]] - legitimate interest. Moreover, [[Article 21 GDPR|Article 21(3) GDPR]] specifically grants data subjects the right to object to processing for direct marketing purposes.
The DPA held that the controller's conduct was a violation of the GDPR. Pursuant to [[Article 21 GDPR]] data subjects have the right to object to processing which is done based either on the legal basis of [[Article 6 GDPR|Article 6(1)(e) GDPR]] (public interest) or [[Article 6 GDPR|Article 6(1)(f) GDPR]] (legitimate interest). Moreover, [[Article 21 GDPR|Article 21(2) GDPR]] specifically grants data subjects the right to object to processing for direct marketing purposes.


During the investigation, the DPA found that the controller did not present evidence from which it could be concluded that it resolved the request of the data subject in accordance with Article 12 para. (3) and [[Article 21 GDPR]] and did not provide the data subject with an answer, within the legal term, regarding the measures adopted following the exercise of the right to objection.  
During the investigation, the DPA found that the controller did not present evidence from which it could be concluded that it reacted to the request of the data subject in accordance with [[Article 12 GDPR|Article 12(3) GDPR]] and [[Article 21 GDPR]] and did not provide the data subject with an answer, within the month of the request, regarding the measures adopted following the exercise of the right to objection.  


Considering the facts above, the DPA decided that the controller violated [[Article 12 GDPR|Article 12 para. (3)]] and [[Article 21 GDPR]] by not respecting the data subject's objection. Based on its powers pursuant to [[Article 58 GDPR|Article 58(2)(i) GDPR]], the DPA fined the controller €1,000 (RON 4,947.9). Moreover, based on [[Article 58 GDPR|Article 58(2)(d) GDPR]], the DPA ordered the controller to take the necessary measures to modify the existing procedures at the company level and communicate them to the employees, in order to ensure that its processing of personal data respect the rights of data subjects vested in them by the GDPR.
The DPA decided that the controller violated [[Article 12 GDPR|Article 12(3)]] and [[Article 21 GDPR]] by not respecting the data subject's objection. Based on its powers pursuant to [[Article 58 GDPR|Article 58(2)(i) GDPR]], the DPA fined the controller €1,000 (RON 4,947.9). Moreover, based on [[Article 58 GDPR|Article 58(2)(d) GDPR]], the DPA ordered the controller to take the necessary measures to modify the existing procedures at the company level and communicate them to the employees, in order to ensure that its processing of personal data respect the rights of data subjects under the GDPR.


== Comment ==
== Comment ==
Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release.
Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release. Although it is not directly stated in the case, it is strongly suggested that the controller carried out such processing activities on the basis of legitimate interest.


== Further Resources ==
== Further Resources ==

Latest revision as of 15:15, 13 December 2023

ANSPDCP - ANSPDCP 24.04.2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 12(3) GDPR
Article 21 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 24.04.2023
Fine: 1000 EUR
Parties: n/a
National Case Number/Name: ANSPDCP 24.04.2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: carlafilip

The Romanian DPA investigated Tensa Art Design SA and found that it did not react to a data subject's objection to receiving commercial messages, in violation of Articles 12(3) and 21 GDPR. A fine of €1,000 was imposed.

English Summary

Facts

The controller, Tensa Art Design SA, was an optician and merchant for glasses, sunglasses as well as contact lenses. As part of its business the controller was sending commercial messages.

A data subject, objected to receiving the commercial messages as foreseen by Article 21 GDPR, by unsubscribing from the newsletter service. Yet, the controller continued to send commercial communications to the data subject's phone number via SMS in a frequent manner. Consequently, the data subject filed a complaint with the Romanian DPA, prompting the DPA to investigate the matter.

Holding

The DPA held that the controller's conduct was a violation of the GDPR. Pursuant to Article 21 GDPR data subjects have the right to object to processing which is done based either on the legal basis of Article 6(1)(e) GDPR (public interest) or Article 6(1)(f) GDPR (legitimate interest). Moreover, Article 21(2) GDPR specifically grants data subjects the right to object to processing for direct marketing purposes.

During the investigation, the DPA found that the controller did not present evidence from which it could be concluded that it reacted to the request of the data subject in accordance with Article 12(3) GDPR and Article 21 GDPR and did not provide the data subject with an answer, within the month of the request, regarding the measures adopted following the exercise of the right to objection.

The DPA decided that the controller violated Article 12(3) and Article 21 GDPR by not respecting the data subject's objection. Based on its powers pursuant to Article 58(2)(i) GDPR, the DPA fined the controller €1,000 (RON 4,947.9). Moreover, based on Article 58(2)(d) GDPR, the DPA ordered the controller to take the necessary measures to modify the existing procedures at the company level and communicate them to the employees, in order to ensure that its processing of personal data respect the rights of data subjects under the GDPR.

Comment

Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release. Although it is not directly stated in the case, it is strongly suggested that the controller carried out such processing activities on the basis of legitimate interest.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

24.04.2023

Penalty for GDPR violation



In March 2023, the National Supervisory Authority completed an investigation at the operator Tensa Art Design SA and found a violation of the provisions of art. 12 para. (3) and art. 21 of Regulation (EU) 2016/679.

As such, the operator was fined 4,947.9 lei (equivalent to 1,000 EURO).

The investigation was started as a result of a notification submitted by a concerned person who complained that the operator Tensa Art Design SA was sending him unsolicited messages, although he exercised his right of opposition.

During the investigation carried out, it was found that the operator sent unsolicited commercial messages to the person in question, via SMS, repeatedly, although he had previously requested, via e-mail, to unsubscribe from the newsletter service.

During the investigation, it was found that the operator Tensa Art Design SA did not present evidence from which it could be concluded that it resolved the request of the person concerned in accordance with the provisions of art. 12 para. (3) related to art. 21 of Regulation (EU) 2016/679 and did not provide her with an answer, within the legal term, regarding the measures adopted following the exercise of the right of opposition.

At the same time, as part of the investigation, the operator was also given the corrective measure to take the necessary measures to modify the existing procedures at the company level and bring them to the knowledge of the employees, so that the rights of the persons concerned provided by the Regulation are respected in all cases (EU) 679/2016.



Legal and Communication Department

A.N.S.P.D.C.P.