ANSPDCP (Romania) - Fine against a natural person

From GDPRhub
Revision as of 14:07, 18 May 2021 by RRA (talk | contribs)
ANSPDCP (Romania) - Fine against a natural person
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 13(3) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 14.05.2021
Fine: 974.89 RON
Parties: A natural person, owner of a website
National Case Number/Name: Fine against a natural person
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a natural person, the owner of a website, approximately €200 (RON 974,89) as it did not inform data subjects about the processing activities it performed, and did not take adequate security measures regarding the risks of processing.

English Summary

Facts

The owner of a website (a natural person) provided its users with personalised forms needed in order to leave the house during the coronavirus lockdown. To complete the forms, the controller needed certain personal data of the users, including their name, parent's name, address, personal number and signature.

Dispute

However, the controller did not prove the lawful processing of the respective data.

Holding

The DPA held that the controller did not inform the data subjects regarding the processing performed on its website and did not take adequate security measures in order to prevent possible risks.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National Authority completed an investigation of a natural person and found a violation of the provisions of art. 5 para. (1) lit. a) and b) and par. (2), referred to in art. 6 para. (1), as well as the provisions of art. 13 para. (1) - (3) and art. 32 para. (2) of the General Data Protection Regulation.

The natural person, acting as a controller, was sanctioned with a fine of a total amount of RON 974.89 (equivalent to the amount of EUR 200).

The investigation started after several complaints that through the website https://declaratieppr.ro, by filling in a form that generates a statement necessary to leave the house during the lockdown were processed certain personal data, namely name, surname, parents' first name, domicile, personal number, series and number of the identity card, factual address, place of travel, the purpose of travel and signature.

During the investigation, the National  Authority found that the controller did not present evidence showing that he had legally processed personal data, collected and stored on the website https://declaratieppr.ro.

At the same time, it was found that it did not present evidence that it provided information to data subjects in connection with the processing of their personal data, collected on the same website.

Also, the controller (natural person) has not taken adequate security measures to ensure that the file containing the personal data of the data subjects is not subject to processing risks, in particular, accidentally or illegally generating destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.