ANSPDCP (Romania) - Fine against Estee Lauder Romania

From GDPRhub
Revision as of 13:53, 23 June 2020 by AL (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against Estee Lauder Romania
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 6 GDPR
Article 7 GDPR
Article 9 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 15.06.2020
Fine: 3000 EUR
Parties: Estee Lauder Romania SRL
National Case Number/Name: Fine against Estee Lauder Romania
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: n/a

The Romanian DPA (ANSPDCP) fined Estee Lauder Romania € 3.000 for unlawful collection and disclosure of personal data without any valid legal basis.

English Summary

Facts

The complainant claimed that Estee Lauder Romania SRL conducted illegal processing by disclosing and collecting personal data (name, surname, telephone number, date of birth and health information) without consent or other legal basis.


Dispute

Holding

Following an investigation the ANSPDCP found that Estee Lauder Romania SRL violated Article 6, 7 and 9 GDPR and imposed a fine of EUR 3.000.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

Fine for violation of RGPD

The National Supervisory Authority completed on 10.04.2020 an investigation at the operator Estee Lauder Romania SRL and found that it violated the provisions of art. 6, art. 7 and art. 9 of the General Data Protection Regulation.

The operator Estee Lauder Romania SRL was sanctioned with a fine in the amount of 14483.4 lei, the equivalent of 3,000 EURO.

The sanction was applied to the controller following a complaint alleging illegal data processing by disclosing and collecting personal data (name, surname, telephone number, date of birth and health information), respectively, without consent, or another legal basis.

At the same time, the corrective measure was applied to the operator to ensure compliance with the General Data Protection Regulation of the operations of collection and further processing of personal data, by regularly instructing its own staff on the importance of compliance with the rules of personal data processing of its employees. , in each situation of personal data processing, in order to avoid their illegal disclosure, reported to art. 58 para. (2) lit. d) of the RGPD).