ANSPDCP (Romania) - Fine against IKEA Romania S.R.L.
ANSPDCP (Romania) - Fine against IKEA Romania S.R.L. | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 12(1) GDPR Article 12(3) GDPR Article 17 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 18.04.2022 |
Fine: | 1000 EUR |
Parties: | n/a |
National Case Number/Name: | Fine against IKEA Romania S.R.L. |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | Cesar Manso-Sayao |
The Romanian DPA issued a fine of €1000 against IKEA Romania S.R.L. for not granting a data subject's right to erasure of his personal data and IKEA account, in violation of Articles 17, 12(1) GDPR and 12(3) GDPR.
English Summary
Facts
In March 2022, a data subject filed a complaint with the Romanian DPA (ANSPDCP) against Ikea Romania S.R.L., claiming that he had repeatedly requested to exercise his right to have his personal data deleted from an Ikea user account associated to his e-mail address, and that the controller had not granted these requests.
Holding
The ANSPDCP held that Ikea did not provide proof that it had replied within the legal deadline to the data subject’s request to exercised his right to erasure provided for in Article 17 GDPR, which constitutes a breach of Articles 12(1) and 12(3) GDPR.
Based on these violations, the ANSPDCP issued a fine of approximately €1000 (4,949 lei) against Ikea. The ANSPDCP also ordered Ikea to take the necessary measures to ensure that it handles these requests and grants data subject’s access rights in compliance with GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
18.04.2022 Sanction for violating the RGPD The National Supervisory Authority completed, in March 2022, an investigation at the operator IKEA Romania S.R.L. and found a violation of the provisions of art. 12 para. (3) of the General Data Protection Regulation. As such, the operator was sanctioned with a fine of 4,949 lei (equivalent to 1,000 EURO). The investigation was initiated following a complaint by the data subject claiming that he had addressed the operator in order to delete a user account. The investigation revealed that the data subject had repeatedly exercised his right to delete his personal data from an Ikea user account created on the basis of an e-mail address. The National Supervisory Authority found that the operator IKEA Romania S.R.L did not prove that it sent within the legal term a response to the requests by which the data subject exercised his right of cancellation provided by art. 17 of the General Regulation on Data Protection, which constitutes a violation of the provisions of art. 12 para. (3) of the General Data Protection Regulation. By art. 12 para. (3) of the General Data Protection Regulation provides: "The operator shall provide the data subject with information on actions taken following a request under Articles 15 to 22, without undue delay and in any case within one month of receipt of the request. This period may be extended by two months where necessary, taking into account the complexity and number of applications. The operator shall inform the data subject of any such extension within one month of receipt of the request, stating the reasons for the delay. Where the data subject submits an application in electronic format, the information shall be provided in electronic format where possible, unless the data subject requests another format. " At the same time, in the course of the investigation, the corrective measure was applied to the operator to take the necessary measures so as to respect, in all cases, the rights of data subjects under the General Data Protection Regulation. Legal and Communication Department A.N.S.P.D.C.P.