Banner1.jpg

ANSPDCP (Romania) - Fan Courier Express S.R.L.

From GDPRhub
ANSPDCP - Fan Courier Express S.R.L.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 12(2) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 15(3) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 23.12.2024
Fine: 2,000 RON
Parties: Fan Courier Express S.R.L.
National Case Number/Name: Fan Courier Express S.R.L.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO)
Initial Contributor: elu

The DPA fined a delivery service €2,000 after an access request from an employee revealed that it systematically obstructed these requests by demanding additional requests to be made to a different internal department and, subsequently, failing to provide a copy of the processed personal data.

English Summary

Facts

An employee, the data subject, filed a complaint against its employer, Fan Courier Express S.R.L., the controller, with the Romanian DPA after the controller did not adequately respond to their access request.

The DPA started an investigation on the matter.

Holding

The DPA concluded its investigation and found that the controller failed to provide the data subject with a copy of their personal data, which were correctly requested electronically, in line with Article 15(3) GDPR. Moreover, the controller hindered the request of access by forwarding it to another internal department, while, at the same time, requesting the data subject to submit a new application to said other internal department.

This approach to the access request indicated a violation of Article 12(2), (3) and (4) GDPR by reference to Article 15(3) GDPR.

The DPA deemed it appropriate to impose a fine of RON 9,954 (€2,000) and order the controller to provide the data subject with a copy of their personal data, and to adopt the necessary technical and organizational measures, including the appropriate training of the personnel, in order ensure compliance with access request obligations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

23.12.2024

Sanction for violation of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the operator Fan Courier Express S.R.L. and found a violation of the provisions of art. 12 para. (2), (3) and (4) in relation to the provisions of art. 15 para. (3) of Regulation (EU) 2016/679.

As such, the operator was sanctioned with a fine in the amount of 9,954 lei, equivalent to the amount of 2000 euros.

The investigation was initiated following a complaint submitted by an employee who reported a possible violation of Regulation (EU) 2016/679, as a result of the lack of an adequate and complete response from the operator to the request by which he exercised his right of access.  

During the investigation, it was found that the operator Fan Courier Express S.R.L. failed to communicate to the data subject a copy of his/her personal data, as he/she correctly requested through the request sent electronically to the operator, in accordance with the provisions of art. 15 para. (3) of the GDPR.

It was found that the operator delayed the resolution of the data subject's request by directing it to another internal department, asking him/her to submit a new request to another office of the operator.

It was also found that the e-mail address associated with the data subject for communications existed in the operator's records system.

Consequently, it was found that the operator Fan Curier Express S.R.L. did not properly respect the right of access of the requester, violating the provisions of art. 12 para. (2), (3) and (4) in accordance with art. 15 para. (3) of Regulation (EU) 2016/679 and was fined.

The operator was also ordered to take corrective measures:

to send a complete response to the request of the petitioner by e-mail, by securely communicating a copy of his personal data from the operator's records system; to ensure compliance with Regulation (EU) 2016/679 of the personal data processing operations, by adopting the necessary technical and organizational measures, including in terms of appropriate training of the personnel designated for this purpose, so that the operator is able to analyze, correctly resolve and respond appropriately to the requests through which the data subjects exercise their rights.

 

Legal and Communication Department    

A.N.S.P.D.C.P