ANSPDCP (Romania) - Fine against Untold SRL: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=Fine against Untold SRL |ECLI= |Original_Source_Name_1=ANSPDCP |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_30_10_2024&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_So...") |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 65: | Line 65: | ||
}} | }} | ||
The DPA fined a controller RON 74,611.50 (€15,000) | The DPA fined a controller RON 74,611.50 (€15,000) for failing to act on an access and erasure request. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject filed an access request with the controller | The data subject filed an access request with the controller. | ||
Moreover, they also requested the controller to delete their personal data pursuant to [[Article 17 GDPR#1b|Article 17(1)(b) GDPR]]. | Moreover, they also requested the controller to delete their personal data pursuant to [[Article 17 GDPR#1b|Article 17(1)(b) GDPR]]. | ||
However, the controller never replied to these requests. | |||
Therefore, the data subject filed a complaint with the DPA, noting that they had previously provided the controller with their e-mail address, telephone number, full name and postal address. | Therefore, the data subject filed a complaint with the DPA, noting that they had previously provided the controller with their e-mail address, telephone number, full name and postal address. | ||
=== Holding === | === Holding === | ||
First, the DPA noted that the controller has never replied to the data subject's access request. Therefore, it found a violation of [[Article 15 GDPR|Article 15 GDPR]] in combination with Article 12(3) and 12(4) GDPR. | First, the DPA noted that the controller has never replied to the data subject's access request. Therefore, it found a violation of [[Article 15 GDPR|Article 15 GDPR]] in combination with [[Article 12 GDPR#3|Article 12(3)]] and [[Article 12 GDPR#4|12(4) GDPR]]. | ||
Moreover, the DPA held that the controller violated [[Article 17 GDPR#1|Article 17(1) GDPR]] in combination with Article 12(3) and 12(4) GDPR since the controller did not act on the erasure request filed by the data subject. | Moreover, the DPA held that the controller violated [[Article 17 GDPR#1|Article 17(1) GDPR]] in combination with [[Article 12 GDPR#3|Article 12(3)]] and [[Article 12 GDPR#4|12(4) GDPR]] since the controller did not act on the erasure request filed by the data subject. | ||
On these grounds, the DPA issued a fine of RON 74,611.50 (€15,000) and ordered the controller to: | On these grounds, the DPA issued a fine of RON 74,611.50 (€15,000) and ordered the controller to: | ||
provide the data subject with a written reply, therefore acting on their access request; | * provide the data subject with a written reply, therefore acting on their access request; | ||
* adopt the necessary measures to ensure it is able to promptly act on data subjects' access requests. | |||
adopt the necessary measures to ensure it is able to promptly act on data subjects' access requests | |||
== Comment == | == Comment == |
Latest revision as of 15:45, 4 November 2024
ANSPDCP - Fine against Untold SRL | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 12(3) GDPR Article 12(4) GDPR Article 17(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 30.10.2024 |
Fine: | 74,611.50 RON |
Parties: | Untold SRL |
National Case Number/Name: | Fine against Untold SRL |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | fb |
The DPA fined a controller RON 74,611.50 (€15,000) for failing to act on an access and erasure request.
English Summary
Facts
The data subject filed an access request with the controller.
Moreover, they also requested the controller to delete their personal data pursuant to Article 17(1)(b) GDPR.
However, the controller never replied to these requests.
Therefore, the data subject filed a complaint with the DPA, noting that they had previously provided the controller with their e-mail address, telephone number, full name and postal address.
Holding
First, the DPA noted that the controller has never replied to the data subject's access request. Therefore, it found a violation of Article 15 GDPR in combination with Article 12(3) and 12(4) GDPR.
Moreover, the DPA held that the controller violated Article 17(1) GDPR in combination with Article 12(3) and 12(4) GDPR since the controller did not act on the erasure request filed by the data subject.
On these grounds, the DPA issued a fine of RON 74,611.50 (€15,000) and ordered the controller to:
- provide the data subject with a written reply, therefore acting on their access request;
- adopt the necessary measures to ensure it is able to promptly act on data subjects' access requests.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
30.10.2024 Penalty for GDPR violation The National Supervisory Authority for the Processing of Personal Data completed, in September 2024, an investigation at the operator Untold SRL and found a violation of the provisions of art. 15 and art. 17 para. (1) in conjunction with art. 12 para. (3) and (4) of Regulation (EU) 2016/679. As such, the operator was penalized: with a fine of 49,741 lei (the equivalent of 10,000 EURO), for violating art. 15 in conjunction with art. 12 para. (3) and (4) of Regulation (EU) 2016/679; with a fine of 24,870.5 lei (the equivalent of 5,000 EURO), for violating art. 17 para. (1) in conjunction with art. 12 para. (3) and (4) of Regulation (EU) 2016/679. During the investigation, the National Supervisory Authority for the Processing of Personal Data found that the operator did not resolve the request for access to the personal data of the person concerned, even though he communicated his email address, telephone number, full name and surname and postal address. This situation led to the violation of the provisions of art. 15, in conjunction with art. 12 para. (3) and (4) of Regulation (EU) 2016/679. At the same time, it was found that the operator did not resolve the request to delete the petitioner's personal data within the terms provided by Regulation (EU) 2016/679, which constituted a violation of the provisions of art. 17 para. (1) and art. 12 para. (3) and (4) of the same normative act. At the same time, the following corrective measures were ordered against the operator: to send a written response to the request of the person concerned in accordance with the provisions of art. 15 of Regulation (EU) 2016/679; to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, by adopting the necessary technical and organizational measures, including the appropriate training of the personnel designated for this purpose, so that the operator is able to analyze, to resolve correctly and respond to all requests through which the persons concerned exercise their rights, within the terms and according to the conditions provided by art. 12-23 of Regulation (EU) 2016/679. Legal and Communication Department A.N.S.P.D.C.P.