ANSPDCP (Romania) - 03.01.2023
ANSPDCP - Press Communication 03/01/2023 | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 6 GDPR Article 83(5)(a) GDPR Article 83(5)(e) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 03.01.2023 |
Fine: | 2,462.5 RON |
Parties: | n/a |
National Case Number/Name: | Press Communication 03/01/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | Romanian DPA (in RO) |
Initial Contributor: | n/a |
The Romanian DPA fined a controller €500 for publishing a data subject's name without a legal basis in Article 6 GDPR.
English Summary
Facts
The data subject is a member of the controller's association. The data subject issued a complaint to the Romanian DPA, stating that the controller breached the GDPR by publishing a payment list containing the first and last name of each member of the association. Moreover, the data subject also accused the controller of having published a defamatory document in which the data subject's name was mentioned.
The complaint prompted the DSA to launch an investigation into the controller's conduct.
During the investigation, it was found that the Owners' Association disclosed the petitioner's personal data (name and surname) by displaying an information on the notice board, without his consent and without the existence of another situation where consent is not necessary.
Holding
During the investigation, the DPA found that the controller disclosed the data subject's personal name on a notice board without a legal basis in Article 6 GDPR. Neither consent nor any other legal basis were applicable.
Consequently, pursuant to the Articles 83(5)(a) and 83(5)(e) the DPA fined the controller 2,462.5 lei (the equivalent of €500). Additionally, the controller was ordered to implement corrective measures to ensure future compliance with the GDPR.
Comment
Unfortunately, the Romanian DPA refrains from publishing its full decision. The above summary is based on a press release.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
03.01.2023 Fine for GDPR violation In November of this year, the National Supervisory Authority completed an investigation at an Owners' Association in Iași, to which it imposed a fine and a warning, as follows: fine in the amount of 2,462.5 lei, the equivalent of 500 EURO, for violating the provisions of art. 83 para. (5) lit. e) from GDPR; warning for violating the provisions of art. 6 in conjunction with paragraph 83. (5) lit. a) from the GDPR. The investigation was carried out as a result of a complaint claiming that the operator displayed the payment lists containing the first and last name of each member of the Owners Association. The petitioner also complained about the display of a defamatory document in which his personal data (name and surname) were mentioned. During the investigation, it was found that the Owners' Association disclosed the petitioner's personal data (name and surname) by displaying a notice on the notice board, without his consent and without the existence of another situation where consent is not necessary. The operator was also given the corrective measure to take the necessary measures in order to ensure the compliance of the processing operations with the provisions of the RGPD and to avoid the processing (including the disclosure) of personal data without the consent of the data subjects and without the existence of another situation in which the consent it is not necessary. Legal and Communication Department A.N.S.P.D.C.P.