ANSPDCP (Romania) - Fine against CDI Transport
ANSPDCP - Fine against CDI Transport | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 12(1) GDPR Article 58(1)(a) GDPR Article 58(1)(e) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 09.08.2022 |
Fine: | 7000 EUR |
Parties: | CDI Transport Intern și Internațional SRL |
National Case Number/Name: | Fine against CDI Transport |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | Diana Rosu |
The Romanian DPA issued a warning against a passenger transportation company because the privacy policy on its website was not compliant with Article 12 GDPR and ordered the company to ensure the information required was included. The DPA further fined the company €7.000 for its lack of collaboration during the investigation.
English Summary
Facts
Following a complaint filed by a data subject, the Romanian DPA started an investigation against CDI Transport, a passenger transport company (controller). The data subject complained that the controller's website did not include all the necessary information required in a privacy notice to fulfil the transparency requirements.
During the investigation, the company did not answer the DPA's request within the legal term.
Holding
The DPA found that the controller did not clearly inform the data subjects visiting its website about the personal data it processed, as the information required by Article 12-22 GDPR was not published on the website. This included information about the purpose of processing personal data, the legal basis, the controller's contact details, the retention period and the possibility for data subjects to exercise their rights.
As a result, the DPA held that the controller violated Article 12(1) GDPR. The DPA issued a warning against the controller and ordered it to ensure that the infromation required by Article 12 GDPR would be communicated in a concise, transparent and easily accessible manner.
In addition, the DPA fined the controller €7.000 for not answering the DPA's request for information within the legal term, in violation of Article 58(1)(a) and (e) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
08/09/2022 Penalty for GDPR violation In June 2022, the National Supervisory Authority completed an investigation at the operator CDI Transport Intern si Internazionale SRL and found a violation of the provisions of art. 58 para. (1) lit. a) and e) and art. 12 para. (1) of the General Data Protection Regulation. As such, the operator was penalized: with a fine of 34,630.40 lei, (the equivalent of 7000 EURO), for violating the provisions of art. 58 para. (1) lit. a) and e) of the General Data Protection Regulation; with a warning, for violating the provisions of art. 12 para. (1) of the General Data Protection Regulation. The investigation was started as a result of a notification that it was reported that on the company's website there is no information on the method of collecting personal data, regarding the rights provided for in art. 15-22 of the General Regulation on the Protection of the Data that the data subjects benefit from, regarding the manner of exercising these rights, nor regarding the fact that the operator has the obligation to inform the data subjects in the event of a breach of the security of personal data. During the investigation carried out, as a result of the fact that the operator did not provide the information requested by our institution, within the legal term, a violation of the provisions of art. 58 para. (1) lit. (a) and (e) of the General Data Protection Regulation. At the same time, it was noted that the operator CDI Transport Intern si Internaționale SRL did not provide clear, complete and correct information of the data subjects whose personal data is processed by the company as it did not provide all the information provided by the provisions of art. 12-22 of the General Data Protection Regulation, such as those relating to the purpose of processing and the legal basis, the identity and contact details of the operator, the period for which the data will be stored or the criteria used to establish this period, the conditions for exercising rights. As such, the violation of the provisions of art. 12 para. (1) of the General Data Protection Regulation At the same time, the operator was also ordered to take the corrective measure of ensuring the information of the persons concerned by communicating in a concise, transparent, intelligible and easily accessible form all the information provided by art. 12 of the General Data Protection Regulation. Legal and Communication Department A.N.S.P.D.C.P.