ANSPDCP (Romania) - 13.03.2023
ANSPDCP - 13.03.2023 | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 12 GDPR Article 13 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 13.03.2023 |
Fine: | 2,000 EUR |
Parties: | Modaone SRL |
National Case Number/Name: | 13.03.2023 |
European Case Law Identifier: | N/A |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | Marta.Tudor |
The Romanian DPA held that by not providing sufficient information and by requesting a written, dated and signed document for opposition requests, the controller imposes excessive conditions to the exercice of this right and violates Articles 12 and 13 GDPR.
English Summary
Facts
A data subject made an opposition request to marketing communications received from a fashion retailer (the data controller). The data controller indicated that it would comply with the opposition request, but continued sending marketing communications to the data subject.
In this context, the data subject filed a complaint to the DPA and the authority started an investigation with the data controller.
The investigation revealed firstly that to make a valid opposition request, the data subject had to submit a written, dated and signed request. Secondly, it revealed that the information notice did not cover the information on data recipients, retention terms or the right to lodge a complaint to the DPA.
Holding
The DPA found that by imposing excessive conditions for the exercise of the data subjects' rights, the controller violated Articles 12 and 13 GDPR.
Also, the DPA found that the data controller violated Article 13 GDPR since the information notice did not provide complete, correct, accurate, and updated information.
The DPA imposed a fine of RON 9871 (approximately €2000) and in accordance with Article 58(2)(d) GDPR the DPA imposed certain corrective measures.
Firstly, the DPA ordered the data controller to take appropriate measures in order to comply with the GDPR provisions, so that, in the future, the personal data used to send commercial communications via electronic means (direct marketing) will only be processed based on the data subject's consent, to implement related internal procedures in this respect and to amend the relevant sections on the website to reflect such flow.
Moreover, the DPA ordered the data controller to amend its information notice, in order to provide the data subject to complete, correct, accurate and updated information in respect to the manner in which their personal data are being processed.
Also, the DPA ordered the data controller to eliminate the excessive condition of requesting the data subjects to submit a "written, dated and signed" request, when exercising their rights.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
In January of the current year, the National Supervisory Authority completed an investigation at the Modaone SRL operator, during which it found a violation of the provisions of art. 12 and art. 13 of the General Data Protection Regulation. As such, the company Modaone SRL was fined in the amount of 9871 lei (the equivalent of 2000 EURO). The investigation was started as a result of a complaint submitted by a concerned person, in which he complained that commercial messages were sent to his e-mail address from www.kalapod.net, in violation of the right of opposition, although it was previously communicated that such messages will no longer be sent to him. During the investigation, it was found that Modaone SRL, owner of www.kalapod.net, does not provide complete, correct, accurate and updated information regarding the processing of the personal data of the persons concerned, as provided by art. 13 of the RGPD (e.g.: recipients of personal data, storage period, the right to file a complaint with the supervisory authority), imposing, at the same time, excessive conditions for the exercise of rights by the persons concerned, thus violating the provisions of art. 12 and art. 13 of the GDPR. At the same time, under art. 58 para. (2) lit. d) from the General Data Protection Regulation, the following corrective measures were ordered against the operator: - taking appropriate measures in order to comply with the provisions of the RGPD, so that, in the future, the personal data of the persons concerned will be processed for the purpose of direct marketing aimed at the use of electronic communication services (e-mail, telephone), only with obtaining consent express and prior to them, including the adoption of procedures in this regard and the corresponding modification of the applicable sections on the kalapod.net website; - modification of the "Terms and conditions" section on the kalapod.net website so that the persons concerned are provided with complete, correct, accurate and updated information regarding the processing of personal data; at the same time, the excessive condition of sending the request "written, dated and signed" in the case of their transmission by e-mail, as well as the excessive condition of requesting a copy of the identity document in order to exercise the rights provided by the GDPR, will be eliminated. Legal and Communication Department A.N.S.P.D.C.P.