ANSPDCP (Romania) - Fine against Untold SRL: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
Line 65: Line 65:
}}
}}


The DPA fined a controller RON 74,611.50 (€15,000) after it failed to act on an access and erasure request.
The DPA fined a controller RON 74,611.50 (€15,000) for failing to act on an access and erasure request.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject filed an access request with the controller. However, the controller never replied to this request.
The data subject filed an access request with the controller.  


Moreover, they also requested the controller to delete their personal data pursuant to [[Article 17 GDPR#1b|Article 17(1)(b) GDPR]].
Moreover, they also requested the controller to delete their personal data pursuant to [[Article 17 GDPR#1b|Article 17(1)(b) GDPR]].
However, the controller never replied to these requests.


Therefore, the data subject filed a complaint with the DPA, noting that they had previously provided the controller with their e-mail address, telephone number, full name and postal address.
Therefore, the data subject filed a complaint with the DPA, noting that they had previously provided the controller with their e-mail address, telephone number, full name and postal address.

Latest revision as of 15:45, 4 November 2024

ANSPDCP - Fine against Untold SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 12(3) GDPR
Article 12(4) GDPR
Article 17(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 30.10.2024
Fine: 74,611.50 RON
Parties: Untold SRL
National Case Number/Name: Fine against Untold SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: fb

The DPA fined a controller RON 74,611.50 (€15,000) for failing to act on an access and erasure request.

English Summary

Facts

The data subject filed an access request with the controller.

Moreover, they also requested the controller to delete their personal data pursuant to Article 17(1)(b) GDPR.

However, the controller never replied to these requests.

Therefore, the data subject filed a complaint with the DPA, noting that they had previously provided the controller with their e-mail address, telephone number, full name and postal address.

Holding

First, the DPA noted that the controller has never replied to the data subject's access request. Therefore, it found a violation of Article 15 GDPR in combination with Article 12(3) and 12(4) GDPR.

Moreover, the DPA held that the controller violated Article 17(1) GDPR in combination with Article 12(3) and 12(4) GDPR since the controller did not act on the erasure request filed by the data subject.

On these grounds, the DPA issued a fine of RON 74,611.50 (€15,000) and ordered the controller to:

  • provide the data subject with a written reply, therefore acting on their access request;
  • adopt the necessary measures to ensure it is able to promptly act on data subjects' access requests.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

30.10.2024

Penalty for GDPR violation

 

The National Supervisory Authority for the Processing of Personal Data completed, in September 2024, an investigation at the operator Untold SRL and found a violation of the provisions of art. 15 and art. 17 para. (1) in conjunction with art. 12 para. (3) and (4) of Regulation (EU) 2016/679.

As such, the operator was penalized:

with a fine of 49,741 lei (the equivalent of 10,000 EURO), for violating art. 15 in conjunction with art. 12 para. (3) and (4) of Regulation (EU) 2016/679;

with a fine of 24,870.5 lei (the equivalent of 5,000 EURO), for violating art. 17 para. (1) in conjunction with art. 12 para. (3) and (4) of Regulation (EU) 2016/679.

During the investigation, the National Supervisory Authority for the Processing of Personal Data found that the operator did not resolve the request for access to the personal data of the person concerned, even though he communicated his email address, telephone number, full name and surname and postal address. This situation led to the violation of the provisions of art. 15, in conjunction with art. 12 para. (3) and (4) of Regulation (EU) 2016/679.

At the same time, it was found that the operator did not resolve the request to delete the petitioner's personal data within the terms provided by Regulation (EU) 2016/679, which constituted a violation of the provisions of art. 17 para. (1) and art. 12 para. (3) and (4) of the same normative act.

At the same time, the following corrective measures were ordered against the operator:

to send a written response to the request of the person concerned in accordance with the provisions of art. 15 of Regulation (EU) 2016/679;

to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, by adopting the necessary technical and organizational measures, including the appropriate training of the personnel designated for this purpose, so that the operator is able to analyze, to resolve correctly and respond to all requests through which the persons concerned exercise their rights, within the terms and according to the conditions provided by art. 12-23 of Regulation (EU) 2016/679.

 

Legal and Communication Department

A.N.S.P.D.C.P.