ANSPDCP (Romania) - Fine against CDI Transport

From GDPRhub
Revision as of 08:45, 23 August 2022 by DianaR (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against CDI Transport
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 12(1) GDPR
Article 58(1)(a) GDPR
Article 58(1)(e) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 09.08.2022
Fine: 7000 EUR
Parties: CDI Transport Intern și Internațional SRL
National Case Number/Name: Fine against CDI Transport
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a transportation company EUR 7,000 due to its lack of collaboration during an investigation. Additionally, the company was sanctioned with a warning after being found in breach of Article 12 for not fulfillying the transparency requirements.

English Summary

Facts

Following a complaint filed by a data subject, the Romanian DPA started an investigation against a passenger transport company (CDI Transport). The data subject complained that the controller's website did not include all the necessary information required in a privacy notice to fulfil the transparency requirements.

During the investigation, the company did not answer the DPA's request within the legal deadline.

Holding

The DPA held that the controller did not clearly inform the data subjects visiting its website regarding the personal data collected and it didn't publish the relevant information required by GDPR Article 12-22, including the purpose of processing personal data, the legal basis, the controller's contact details, the retention period, and the possibility of exercising data subject rights. As a result, the controller was found in breach of GDPR Article 12(1) and sanctioned with a warning. Additionally, the controller was applied a corrective measure and required to inform the data subjects with all the infromation required by Article 12 in a clear and transparent manner.

On a different stream, the controller was fined EUR 7,000 for not answering the DPA's request during the investigation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

08/09/2022

Penalty for GDPR violation



In June 2022, the National Supervisory Authority completed an investigation at the operator CDI Transport Intern si Internazionale SRL and found a violation of the provisions of art. 58 para. (1) lit. a) and e) and art. 12 para. (1) of the General Data Protection Regulation.

As such, the operator was penalized:

with a fine of 34,630.40 lei, (the equivalent of 7000 EURO), for violating the provisions of art. 58 para. (1) lit. a) and e) of the General Data Protection Regulation; with a warning, for violating the provisions of art. 12 para. (1) of the General Data Protection Regulation.

The investigation was started as a result of a notification that it was reported that on the company's website there is no information on the method of collecting personal data, regarding the rights provided for in art. 15-22 of the General Regulation on the Protection of the Data that the data subjects benefit from, regarding the manner of exercising these rights, nor regarding the fact that the operator has the obligation to inform the data subjects in the event of a breach of the security of personal data.

During the investigation carried out, as a result of the fact that the operator did not provide the information requested by our institution, within the legal term, a violation of the provisions of art. 58 para. (1) lit. (a) and (e) of the General Data Protection Regulation.

At the same time, it was noted that the operator CDI Transport Intern si Internaționale SRL did not provide clear, complete and correct information of the data subjects whose personal data is processed by the company as it did not provide all the information provided by the provisions of art. 12-22 of the General Data Protection Regulation, such as those relating to the purpose of processing and the legal basis, the identity and contact details of the operator, the period for which the data will be stored or the criteria used to establish this period, the conditions for exercising rights. As such, the violation of the provisions of art. 12 para. (1) of the General Data Protection Regulation

At the same time, the operator was also ordered to take the corrective measure of ensuring the information of the persons concerned by communicating in a concise, transparent, intelligible and easily accessible form all the information provided by art. 12 of the General Data Protection Regulation.



Legal and Communication Department

A.N.S.P.D.C.P.