ANSPDCP (Romania) - Fine against IA BILET SRL

From GDPRhub
ANSPDCP - Fine against IA BILET SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 6(1)(a) GDPR
Article 7(1) GDPR
Article 12(1) GDPR
Article 21(2) GDPR
Article 21(3) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 25.10.2024
Fine: 9,951.40 RON
Parties: IA BILET SRL
National Case Number/Name: Fine against IA BILET SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: fb

The DPA fined a controller RON 9,951.40 (€2,000) because it completely deleted the data subject's account after they had objected to the processing of their phone number for direct marketing purposes.

English Summary

Facts

The controller operates a website where concert tickets are sold.

In order to use this platform, the data subject created an account and entered their phone number. After that, the data subject received several text messages on their phone, advertising the controller's services.

Therefore, the data subject objected to the processing of their phone number for direct marketing purposes pursuant to Article 21(2) GDPR.

After that, the controller completely deleted their account and refused to reactivate it.

Thus, the data subject filed a complaint with the DPA.

Holding

The DPA held that the controller reacted in an unlawful way when receiving the data subject's objection, since it completely deactivated and deleted the data subject's profile.

Therefore, the DPA found a violation of Article 12(1) GDPR in combination with Article 21(2) and 21(3) GDPR.

Moreover, the DPA noted that the controller had never acquired the data subject's consent before sending them direct marketing SMS. Therefore, it found a violation of Articles 6(1)(a) and 7(1) GDPR.

On these grounds, the DPA issued a fine of RON 9,951.40 (€2,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

25.10.2024

Penalty for GDPR violation

 

The National Supervisory Authority for the Processing of Personal Data completed in September 2024 an investigation at the operator IA BILET SRL and found a violation of the provisions of art. 5 para. (1) lit. a) and para. (2), in conjunction with art. 6 para. (1), art. 12 para. (1) first sentence, related to art. 21 para. (2) and (3), and art. 6 para. (1) lit. a) and art. 7 para. (1) of Regulation (EU) 2016/679.

As such, the operator was penalized for contravention with two fines totaling 9,951.4 (the equivalent of 2,000 EURO) and a warning, as follows:

1. fine in the amount of 4,975.7 lei (the equivalent of 1,000 EURO), for violating the provisions of art. 5 para. (1) lit. a) and para. (2), in conjunction with art. 6 para. (1) from Regulation (EU) 2016/679;

2. fine in the amount of 4,975.7 lei (the equivalent of 1,000 EURO), for violating the provisions of art. 12 para. (1) first sentence, related to art. 21 para. (2) and (3) of Regulation (EU) 2016/679;

3. warning for violating the provisions of art. 6 para. (1) lit. a) and of art. 7 para. (1) of Regulation (EU) 2016/679.

The investigation was started as a result of a complaint submitted by a natural person claiming a possible violation of the provisions of Regulation (EU) no. 2016/679. In this sense, a client of the operator complained that the operator unjustifiably deleted his account created on the iabilet.ro platform and refused to reactivate his account after exercising his right to deletion, as a result of the fact that he received messages on his phone number unsolicited commercial for marketing purposes.

Also, during the investigation it was found that following the exercise of the right of opposition regarding the unsubscription from the newsletter of the telephone number of the person concerned, the operator anonymized (pseudonymized) all the personal data from the client's account (name, surname, address e-mail address, including phone number), so she could no longer use her own account.

As such, during the investigation, the operator did not present evidence regarding compliance with the principles and conditions of legality of such processing of these data, being violated the provisions of art. 5 para. (1) lit. a) and para. (2), in conjunction with art. 6 para. (1) from Regulation (EU) no. 2016/679.

For this violation, the operator was fined 4,975.7 lei (the equivalent of 1,000 EURO).

At the same time, during the investigation, it emerged that the Ia Bilet SRL operator, although he informed the client that he had made changes to the e-mail address in order to be able to use the account, the account remained inactive.

As such, the violation of the provisions of art. 12 para. (1) first sentence, related to art. 21 para. (2) and (3) of Regulation (EU) no. 2016/679.

For this violation, the operator was fined 4,975.7 lei (the equivalent of 1,000 EURO).

During the investigation, the National Supervisory Authority found that, with regard to the transmission of promotional messages via SMS, the operator did not prove that the person concerned had, in advance, expressed his express consent for the purpose of processing his phone number in order to commercial communications are transmitted, thus violating the provisions of art. 6 para. (1) lit. a) and of art. 7 para. (1) from Regulation (EU) no. 2016/679.

As such, the operator was sanctioned with a warning.

At the same time, the following corrective measures were ordered against the operator:

to ensure compliance with Regulation (EU) no. 2016/679 of personal data processing operations, including their pseudonymization and deletion, by referring to the principles and conditions of legality provided by art. 5 and 6 of the regulation, including in terms of the development of written procedures in the sense of art. 24 and 32 of the same regulation and of the appropriate and regular training of the people who will apply them; to communicate to the data subject an adequate response regarding the processing of his personal data following his exercise of the right of opposition; to ensure compliance with Regulation (EU) no. 2016/679 of the further processing of personal data, through the transparent, correct and complete information of all data subjects whose personal data are processed by the operator, in relation to the method of exercising rights, in accordance with the provisions of art. 12-23 of the regulation, as well as the appropriate and regular training of the people who manage the requests of the data subjects; to ensure compliance with Regulation (EU) no. 2016/679 of the operations of collection and further processing of personal data, through the correct and demonstrable implementation of the procedure for obtaining the express consent of the persons concerned in order to send commercial communications to them by electronic means (including by telephone and e-mail) and the cessation of the transmission of such communications in the case of persons for whom compliance with the aforementioned legal conditions cannot be proven.

Legal and Communication Department

A.N.S.P.D.C.P.