ANSPDCP (Romania) - Fine against IKEA ROMÂNIA SA
ANSPDCP (Romania) - Fine against IKEA ROMÂNIA SA | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 32(1)(b) GDPR Article 32(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 14.10.2021 |
Published: | 01.11.2021 |
Fine: | 1000 EUR |
Parties: | IKEA ROMÂNIA SA |
National Case Number/Name: | Fine against IKEA ROMÂNIA SA |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | Diana Rosu |
English Summary
IKEA Romania was fined approx €1,000 for a data breach where personal data was erroneously made available online on an IKEA members' platform. The incident affected the personal data of 114 data subjects, half of which were minors.
Facts
The controller IKEA Romania organised a drawing contest for the children of 'IKEA Family' members. To join the contest, the legal guardians of the children had to upload the drawings, their own personal data, and their children's personal data on a dedicated platform.
To vote for the contest winner, IKEA made the drawings public. However, in doing so, they also erroneously published the personal data of the participants (children and their legal guardians).
This even has been notified to the Romanian DPA as a data breach.
Holding
The Romanian DPA started an investigation and found that the personal data of 114 data subjects (out of which half were minors) was erroneously published and left available online for 40 hours on the dedicated platform for 'Ikea Family' members. This event affected the confidentiality of the personal data, in breach of GDPR Articles 32(1)b and 32(2), and led to a fine against Ikea Romania of approx €1,000 (RON 4948.8).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
01.11.2021 & # 13; RGPD & # 13; & # 13; The National Supervisory Authority completed on 14.10.2021 an investigation at the operator IKEA ROMANIA SA, following which it was found the violation of the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation. & # 13; As such, the operator was sanctioned with a fine of 4948.80 lei (equivalent to 1,000 EURO). & # 13; The investigation was started as a result of the transmission by IKEA ROMANIA SA to the National Authority for the Supervision of Personal Data Processing of a notification of personal data security breach. & # 13; Thus, according to the mentions in the notification form, IKEA ROMANIA SA organized a drawing contest in which the children of IKEA Family members participated. The participants uploaded in the online platform dedicated to the members their own drawings, together with the participation forms, which contained their personal data but also that of the parents / legal guardians, including their consent. In order to vote for the best drawing, the children's drawings were published on the online platform, by mistake, together with the personal data included in the participation forms. & # 13; At the time of the investigation, it was found that the security incident led to the unauthorized disclosure of personal data of IKEA Family members (name, surname and age of minors, name, surname, city, country, e-mail, membership number IKEA Family and the handwritten signature of the parent / legal guardian), on the online platform dedicated to IKEA Family members in Romania, accessible only to them, for about 40 hours, affecting a number of 114 individuals (half of them minors) . & # 13; As such, it was found that this incident led to the compromise of data confidentiality, in violation of the provisions of art. 32 para. (1) lit. b) and para. (2) of the RGPD. & # 13; In this context, we emphasize that, according to recital 38 of the RGPD, “Children need specific protection of their personal data, as they may be less aware of the risks, consequences, safeguards involved and their rights regarding the processing. personal data. This specific protection should apply in particular to the use of children's personal data for marketing purposes or to the creation of personality or user profiles and to the collection of personal data concerning children when using services provided directly to children. "& # 13; & # 13; Legal and Communication Department & # 13; A.N.S.P.D.C.P.