ANSPDCP (Romania) - Fine against a natural person
ANSPDCP (Romania) - Fine against a natural person | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 14(1) GDPR Article 14(2) GDPR Article 14(3) GDPR Article 14(4) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 30.07.2021 |
Fine: | 200 EUR |
Parties: | n/a |
National Case Number/Name: | Fine against a natural person |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | Diana Rosu |
The Romanian DPA fined a natural person approximately €200 (RON 985.5) for publicly sharing on Facebook and distributing flyers containing personal data, including a child's data. The natural person was considered a controller for sharing copies of payslips and records from a kindergarten, in breach of Articles 5, 6 and 14 of the GDPR.
English Summary
Facts
Copies of a data subject's pay slips (including name, surname, CNP, place of employment, position, and salary), and the registration records of a kindergarten including the personal data of a minor (name and surname) were shared by a natural person on their personal Facebook profile as well as distributed through flyers.
Holding
Following several complaints, the DPA started an investigation and decided that the natural person was a controller unlawfully processing personal data, including a child's data, in breach of Articles 5, 6 and 14 of the GDPR.
In particular, the controller had not presented evidence that it had legally processed the personal data in the payslip thus violating Article 5(1) (a) and (b), Article 5 (2) GDPR and Article 6(1) GDPR.
Moreover, the controller had not presented evidence to show he had provided information to the data subject about the processing of personal data contained in the registration records, thus violating Article 14(1)-(4) GDPR.
The natural person was fined:
- approximately €100 for violating Article 5(1) (a) and (b), Article 5 (2), and Article 6(1) GDPR;
- approximately €100 for violating Article 14(1)-(4) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
The National Supervisory Authority completed an investigation of a natural person and found the commission of two contraventions by violating the provisions of art. 5 para. (1) lit. a) and b) and par. (2), referred to in art. 6 para. (1), as well as the provisions of art. 14 para. (1) - (4) of the General Data Protection Regulation. As such, the natural person, as a controller, was sanctioned: - with a fine, in the amount of 492.75 lei (equivalent to 100 EURO) for violating art. 5 para. (1) lit. a) and b) and par. (2) of the GDPR and of art. 6 para. (1) of the GDPR; - with a fine, in the amount of 492.75 lei (equivalent to 100 EURO) for violating art. 14 para. (1) - (4) of the GDPR. The investigation was initiated following the receipt of several complaints. Thus, the controller was complained about the fact that, by distributing some materials within the households in the commune and by posting on his personal Facebook account, he revealed personal data, on the one hand, of an individual by broadcasting a photo of the payslip that belonged to her and, on the other hand, revealed personal data of the minor son of another data subject, contained in a photograph of a file from the Register of children enrolled in the Kindergarten with Normal Program in that commune. As a result of the investigation, the National Supervisory Authority found that the controller did not present evidence to show that he had legally processed the personal data contained in the payslip of the data subject (name, surname, CNP, place of employment). work, position, salary), thus violating the principles of personal data processing provided in art. 5 para. (1) lit. a) and b) and par. (2) of the GDPR and the provisions of art. 6 para. (1) of the GDPR. At the same time, the controller did not present evidence showing that he provided information to the data subjects about the processing of personal data contained in the tab photographed in the Register of children enrolled in Kindergarten with Normal Program (name and surname of the minor son of the data subject), thus violating the provisions of art. 14 para. (1) - (4) of the GDPR.