ANSPDCP (Romania) - National Consumer Protection Authority (ANPC)

From GDPRhub
Revision as of 15:16, 25 July 2023 by Maxinescu (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=National Consumer Protection Authority (ANPC) |ECLI= |Original_Source_Name_1=Romanian DPA |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_10_07_2023&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - National Consumer Protection Authority (ANPC)
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: n/a
Parties: National Consumer Protection Authority (ANPC)
National Case Number/Name: National Consumer Protection Authority (ANPC)
European Case Law Identifier: n/a
Appeal: Appealed - Confirmed
Bucharest Tribunal
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: Silvia Axinescu

The Romanian Bucharest court-of-law upheld the sanction imposed by the DPA to the National Consumer Protection Authority (ANPC) in a case regarding the use of messaging application WhattsApp.

English Summary

Facts

The National Consumer Protection Authority (ANPC) decided to allocate a dedicated mobile phone number for sending consumer complaints through WhattsApp messages. Following the receiving petitions and complaint through this channel, ANPC collected numerous personal data of respective petitioners.

After receiving several complaints in this respect, as well as considering the news published in various press releases, the DPA initiated an investigation on the use of WhattsApp by ANPC.

Holding

As a result of the investigation, the DPA found that ANPC collected numerous personal data through WhattsApp application, which was not in its control and without taking into account the risks involved. Also, the DPA noticed that ANPC already had other available channels for receiving petitions and complaints (email, online, directly on ANPC website, registered mail).

The DPA found that ANPC violated art. 32 (2) GDPR and imposed a warning, as well as corrective measures to process personal data only by using means under ANPC control. These measures also included implementation of appropriate technical and organizational measures to guarantee and be able to demonstrate that processing is carried out in accordance with the provisions of the GDPR.

ANPC challenged the decision of the DPA and the court rejected the appeal as unfounded. In its decision, the court made reference to the finding of the DPA.

Comment

Unfortunately, the Romanian court of law nor DPA do not publish its full decisions. This summary is based on a press release of the DPA.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

10.07.2023

Court decision - ANPC - WhatsApp



In the litigation currently pending, the court of first instance (Bucharest Municipal Court) upheld the minutes of the National Authority for the Supervision of Personal Data Processing through which it was established that ANPC collected numerous personal data from notifications and complaints received, by using the "WhatsApp" application, which is not under its control, without taking into account the risks involved, thus violating the provisions of art. 32 para. (2) of the GDPR.

Thus, for the fact found in 2022, the National Supervisory Authority for the Processing of Personal Data ordered the sanction with a warning, based on Law no. 190/2018, accompanied by the corrective measure to process personal data only by using personal data processing means that are under its control, including by implementing appropriate technical and organizational measures to guarantee and be able to demonstrate that the processing is carried out in accordance with the provisions of the GDPR.

The investigation was started as a result of some reports complaining that ANPC decided to allocate mobile phone numbers, in order to receive reports, although ANPC had other means of sending petitions (email, online, website, mail). This information was also found in the press releases posted by the ANPC website.

Regarding the findings of the National Supervisory Authority for the Processing of Personal Data, contained in the control report, the court of first instance rejected the appeal filed by ANPC as unfounded.

In this context, with regard to ensuring the compliance of processing operations with GDPR rules by WhatsApp Ireland - this company was subjected to the investigation of the Data Protection Authority of Ireland, finding a violation of the principle of transparency enshrined in Article 5 para. (1) lit. a) of the GDPR and, implicitly, of the right to information of data subjects located on the territory of several member states, establishing a significant fine of 225 million Euros.

Regarding the aspects presented above, the National Supervisory Authority for the Processing of Personal Data draws attention to the fact that, in the context of processing personal data, using the messaging application "WhatsApp" as means of processing, related to the principle of operator responsibility, processing in this way may affect the right to privacy and data protection of natural persons, by referring to the processing principles established by Regulation (EU) 2016/679 (GDPR).