ANSPDCP (Romania) - Fine against CDI Transport

From GDPRhub
Revision as of 15:33, 24 August 2022 by Jg (talk | contribs) (→‎Comment)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against CDI Transport
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 12(1) GDPR
Article 58(1)(a) GDPR
Article 58(1)(e) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 09.08.2022
Fine: 7000 EUR
Parties: CDI Transport Intern și Internațional SRL
National Case Number/Name: Fine against CDI Transport
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA issued a warning to a passenger transportation company for an insufficient privacy statement on its website and ordered it to rectify the situation. The DPA further fined the company €7,000 for its lack of collaboration during the investigation.

English Summary

Facts

Following a complaint filed by a data subject, the Romanian DPA started an investigation against CDI Transport, a passenger transport company (controller). The data subject complained that the controller's website did not include all the necessary information in its privacy policy required by the GDPR.

During the investigation, the company did not answer the DPA's request within the legal term.

Holding

The DPA found that the controller did not clearly inform the data subjects visiting its website about the personal data it processed, as the information required by Article 12-22 GDPR was not published on the website. This included information about the purpose of processing personal data, the legal basis, the controller's contact details, the retention period and the possibility for data subjects to exercise their rights.

As a result, the DPA held that the controller violated Article 12(1) GDPR. The DPA issued a warning against the controller and ordered it to ensure that the infromation required by Article 12 GDPR would be communicated in a concise, transparent and easily accessible manner.

In addition, the DPA fined the controller €7,000 for its lack of collaboration during the investigation. The controller neglegted to answer the DPA's request for information within the legal term, in violation of Article 58(1)(a) and (e) GDPR.

Comment

The Romanian DPA rarely published full decisions. This summary is based on a press release of the Romanian DPA.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

08/09/2022

Penalty for GDPR violation



In June 2022, the National Supervisory Authority completed an investigation at the operator CDI Transport Intern si Internazionale SRL and found a violation of the provisions of art. 58 para. (1) lit. a) and e) and art. 12 para. (1) of the General Data Protection Regulation.

As such, the operator was penalized:

with a fine of 34,630.40 lei, (the equivalent of 7000 EURO), for violating the provisions of art. 58 para. (1) lit. a) and e) of the General Data Protection Regulation; with a warning, for violating the provisions of art. 12 para. (1) of the General Data Protection Regulation.

The investigation was started as a result of a notification that it was reported that on the company's website there is no information on the method of collecting personal data, regarding the rights provided for in art. 15-22 of the General Regulation on the Protection of the Data that the data subjects benefit from, regarding the manner of exercising these rights, nor regarding the fact that the operator has the obligation to inform the data subjects in the event of a breach of the security of personal data.

During the investigation carried out, as a result of the fact that the operator did not provide the information requested by our institution, within the legal term, a violation of the provisions of art. 58 para. (1) lit. (a) and (e) of the General Data Protection Regulation.

At the same time, it was noted that the operator CDI Transport Intern si Internaționale SRL did not provide clear, complete and correct information of the data subjects whose personal data is processed by the company as it did not provide all the information provided by the provisions of art. 12-22 of the General Data Protection Regulation, such as those relating to the purpose of processing and the legal basis, the identity and contact details of the operator, the period for which the data will be stored or the criteria used to establish this period, the conditions for exercising rights. As such, the violation of the provisions of art. 12 para. (1) of the General Data Protection Regulation

At the same time, the operator was also ordered to take the corrective measure of ensuring the information of the persons concerned by communicating in a concise, transparent, intelligible and easily accessible form all the information provided by art. 12 of the General Data Protection Regulation.



Legal and Communication Department

A.N.S.P.D.C.P.