ANSPDCP (Romania) - Orange Romania SA
| ANSPDCP - Orange Romania SA | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 5 GDPR Article 6 GDPR Article 7 GDPR Article 12(3) GDPR Article 12(4) GDPR Article 17 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 199,020 RON |
| Parties: | Orange Romania SA |
| National Case Number/Name: | Orange Romania SA |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO) |
| Initial Contributor: | elu |
The DPA fined Orange Romania SA RON 199,020 (€40,000) for failing to reply to an erasure request, and the prolonged storage of scanned ID documents of subscribers.
English Summary
Facts
The DPA started an investigation in relation to the right to erasure.
The investigation revealed that, after unsuccessfully trying to subscribe to a mobile service by Orange Romania SA, the controller, the data subject requested the controller to delete all their personal data.
Instead of fulfilling this erasure request, the controller requested additional data from the data subject and failed to give an appropriate response to the request.
Moreover, the controller collected and stored excessively scanned copies of data subjects´ ID.
Holding
In relation to the ineffective reply to the data subject´s erasure request, the DPA found a violation of Articles 12(3) and (4) and 17 GDPR.
In relation to the collection and storage of scanned documents, the DPA considered that the scanned copies of data subjects´ ID were stored for longer than necessary for the identification purpose related to the conclusion of a subscription contract, which is the original reason for collection. Thus, the DPA found a violation of Articles 5, 6 and 7 GDPR. The DPA decided to impose the following fines:
1. An amount of RON 99,510 (€20,000) due to the violation of Articles 12(3) and (4), in conjunction with Article 17 GDPR;
2. An amount of RON 99,510 (€20,000) due to the violation of Articles 5, 6 and 7 GDPR.
Additionally, the DPA recommended the controller to undertake the following measures.
Firstly, the controller shall reply fully to the personal data deletion request. Second, the controller must adopt the necessary technical and organisational measures, including in terms of proper training of the personnel. Third, the controller must delete all data subjects´ scanned IDs. Finally, the controller must determine all legal basis for all personal data processing, from as soon as the conclusion of a contract to make sure that they do not store personal data and identity documents excessively and illegally.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
27.01.2025 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the operator Orange Romania SA and found a violation of the provisions of art. 12 para. (3) and (4), in conjunction with art. 17 of Regulation (EU) 2016/679, as well as of art. 5, art. 6 and art. 7 of Regulation (EU) 2016/679. As such, the operator was sanctioned with two fines in the total amount of 199,020 lei, equivalent to 40,000 EURO, as follows: fine in the amount of 99,510 lei (equivalent to the amount of 20,000 EURO), for violating the provisions of art. 12 para. (3) and (4), in conjunction with art. 17 of Regulation (EU) 2016/679; fine in the amount of 99,510 lei (equivalent to EUR 20,000), for violating the provisions of art. 5, art. 6 and art. 7 of Regulation (EU) 2016/679. The investigation was launched to verify the way in which the exercise of the right to erasure was resolved. During the investigation, it was found that, after the unsuccessful attempt to subscribe to the mobile telephony services offered by the operator, the deletion of all personal data was requested. During the correspondence, the operator requested more personal data and no complete and adequate responses were provided to the requests received. During the investigation, it emerged that Orange Romania SA did not properly manage the requests for deletion of personal data, thus violating the provisions of art. 12 par. (3) and (4), in conjunction with Article 17 of Regulation (EU) 2016/679. At the same time, it was found that the operator had excessively collected and stored, including scanned copies of documents, although the personal data were no longer necessary for the purpose of identification related to the conclusion of a subscription contract. As such, the provisions of Articles 5, 6 and 7 of Regulation (EU) 2016/679 were violated. At the same time, as part of the investigation, the following corrective measures were also applied to the operator: to submit a complete response to the request for deletion of his personal data, in accordance with the applicable legal provisions; to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, by adopting the necessary technical and organizational measures, including in terms of appropriate training of the staff designated for this purpose, so that the operator is able to analyze, correctly resolve and respond appropriately to requests by which data subjects exercise their rights, within the deadlines and according to the conditions provided for in art. 12-23 of Regulation (EU) 2016/679, with clear, transparent and accessible information to data subjects regarding the mechanisms for exercising rights; to remove from the database the personal data and identity documents of the affected person, collected during the failed subscription procedure to the services offered; to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, so that the operator clearly establishes the legal basis for the collection of personal data by reference to each purpose of the processing, within the framework of the steps preceding the conclusion of a subscription contract to its services, so that personal data and identity documents are not collected and subsequently stored excessively and illegally except in compliance with applicable legislation, ensuring clear, transparent and accessible information to the data subjects, according to the provisions of art. 5-7, respectively, art. 12-14 of Regulation (EU) 2016/679. Legal and Communication Department A.N.S.P.D.C.P.
