ANSPDCP (Romania) - Fine against La Santrade S.R.L.

From GDPRhub
Revision as of 11:14, 22 June 2021 by DianaR (talk | contribs)
ANSPDCP (Romania) - Fine against La Santrade S.R.L.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 12(2) GDPR
Article 12(3) GDPR
Article 17 GDPR
Article 83(5)(e) GDPR
Article 83(5)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 16.06.2021
Fine: 9.839,4 RON
Parties: La Santrade S.R.L.
National Case Number/Name: Fine against La Santrade S.R.L.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a controller approximately €2.000 (RON 9.839,4) for failing to cooperate with the DPA during an investigation by not providing it with the information it had requested. The same controller received a warning for not fulfilling a data deletion request.

English Summary

Facts

After a Data Subject made a data deletion request, the controller La Santrade S.R.L. did not take the necessary measures in order to fulfil the request and did not respect Data Subject's rights, breaching Article 12(2) and (3) GDPR. Additionally, during the DPA's investigation, the controller did not provide it with the information it had requested.

Dispute

Holding

The controller was fined approximately €2.000 (RON 9.839,4) for not responding to the DPA's request to provide information, in violation of Article 85(3)(e) GDPR, received a warning for not respecting Data Subject's rights, in violation of Article 85(3)(b) GDPR and was ordered to inform the Complainant Data Subject regarding the measures adopted to delete their data, as well as to implement sufficient measures that will facilitate the enforcement of Data Subject's rights.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National Supervisory Authority completed, in June 2021, an investigation at the controller La Santrade S.R.L. and found a violation of the provisions of art. 83 para. (5) lit. e) of the General Regulation on Data Protection and violation of the provisions of art. 83 para. (5) lit. b) of the General Regulation on Data Protection.

As such, the controller La Santrade S.R.L. was sanctioned:

   - with a fine in the amount of 9,839.4 RON (equivalent to 2,000 EURO) for violating art. 83 para. (5) lit. e) of the General Regulation on Data Protection, regarding the obligation of the controller to provide the necessary information to the National Supervisory Authority;
   - with a warning, for violating the provisions of art. 83 para. (5) lit. b) of the General Regulation on Data Protection, regarding the non-observance of the data subject's rights.

In the investigation initiated following a complaint, La Santrade S.R.L. did not comply with the request for information addressed by the National Supervisory Authority in the exercise of its powers, thus violating the provisions of art. 83 para. (5) lit. e) of the General Regulation on Data Protection.

Also, the National Supervisory Authority found that the controller did not adopt measures to ensure the effective exercise of the rights of data subjects, which led to failure to resolve the request of the data subject requesting the deletion of his personal data (right provided by art. 17 of the General Data Protection Regulation). In this context, it was found that the provisions of art. 12 para. (2) and (3) of the General Data Protection Regulation.

Two corrective measures were also applied:

   - the corrective action to inform the data subject of the measures taken to delete his or her data, collected without his or her express consent;
   - corrective action to facilitate the exercise of the rights of data subjects, by providing valid contact details, including a functional e-mail address, which will be made public on the controller's website in the sections on personal data processing, policy privacy, contact details.