ANSPDCP (Romania) - Fine against Corint Logistic SRL

From GDPRhub
ANSPDCP - Fine against Corint Logistic SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 12 GDPR
Article 15(1) GDPR
Article 17 GDPR
Article 21(3) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 30.05.2024
Fine: 2000 EUR
Parties: Corint Logistic SRL
National Case Number/Name: Fine against Corint Logistic SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The DPA fined a controller €2,000 (RON 9,952.6) for sending marketing communications without obtaining prior consent, and for failing to delete a data subject's personal data after the individual exercised their deletion request.

English Summary

Facts

A data subject submitted a deletion request against a controller. The controller confirmed receipt and fulfillment of the request. However, the data subject continued to receive unsolicited marketing via SMS messages from the controller. Consequently, the data subject filed a complaint with the Romanian DPA, which opened an investigation of the controller.

Holding

First, the DPA found that the controller did not fulfil the data subject's deletion request and continued to send marketing communications via SMS, in breach of Articles 17 and 21(3) GDPR. This breach was sanctioned with a fine of approximately €1,000 (RON 4,976.3).

Second, the DPA considered that the controller could not demonstrate obtaining consent before sending marketing communications, in breach of Articles 5(1)(a), 5(1)(b) and Article 6(1) GDPR. This breach was also sanctioned with a fine of approximately €1,000 (RON 4,976.3).

Third, the controller did not respond to other data subject deletion and access requests, which were submitted by the same individual via email, in breach of Articles 15(1) and 12 GDPR. The controller received a warning for this breach.

Finally, the DPA requested the controller to adopt consent procedures that ensure the collection of prior, explicit consent before processing personal data for direct marketing purposes. It also requested the controller to adopt data subject rights procedures that enable more efficient and timely responses to such requests and to train its personnel on how to handle these requests.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

30.05.2024

Penalty for GDPR violation

 

The National Supervisory Authority for the Processing of Personal Data completed in April 2024 an investigation at the operator Corint Logistic SRL and found a violation of the provisions of art. 5 para. (1) lit. a) and b), art. 6 para. (1), art. 12, art. 15 para. (1), art. 17 and art. 21 para. (3) of Regulation (EU) 2016/679.

As such, the operator was penalized:

1. with a fine of 4,976.3 lei (the equivalent of 1,000 EURO), for violating the provisions of art. 17 and art. 21 para. (3) from Regulation (EU) 2016/679;

2. with a fine of 4,976.3 lei (the equivalent of 1,000 EURO), for violating the provisions of art. 5 para. (1) lit. a) and b) from Regulation (EU) 2016/679;

3. with a warning, for violating the provisions of art. 15 para. (3) from Regulation (EU) 2016/679 in conjunction with art. 12 of Regulation (EU) 2016/679;

The investigation was started as a result of a notification sent by a concerned person who claimed a possible violation of the provisions of Regulation (EU) no. 2016/679. Thus, a client of the operator complained that he received commercial SMS messages from Corint Logistic SRL on his phone number, although he exercised his right to deletion and received confirmation that his personal data had been deleted.

During the investigation, it was found that the operator did not take into account the deletion/opposition requests sent by his client, so the petitioner continued to receive other commercial messages via SMS from Corint Logistic SRL, thus violating the provisions of art. 17 and 21 par. (3) of Regulation (EU) 679/2016.

Also, during the investigation, it was found that the operator did not prove the existence of the expressed consent of the person concerned for the transmission of commercial messages over the phone, thus violating the provisions of art. 5 para. (1) lit. a) and b) and of art. 6 para. (1) of Regulation (EU) 679/2016.

At the same time, during the investigation, it turned out that the operator did not communicate to the client a response to other requests through which he exercised his rights of access and deletion, sent by e-mail, although he had this obligation, the provisions of art. 15 para. (1) of Regulation (EU) 679/2016, related to art. 12 of the same regulation.

At the same time, the following corrective measures were applied to the operator:

- taking the appropriate measures in order to comply with the provisions of Regulation (EU) 679/2016, so that in the future the personal data of the persons concerned will be processed for the purpose of direct marketing aimed at the use of electronic communication services (e-mail, telephone), with obtaining their express and prior consent, including the adoption of procedures in this regard;

- the adoption of adequate and efficient internal procedures for the protection of personal data regarding the way of resolving the requests submitted by the persons concerned, pursuant to Regulation (EU) 679/2016, compliance in all cases with the applicable provisions regarding the analysis and resolution without delay of these requests, so that the operator can ensure that it effectively responds to the requests through which the rights of the data subjects are exercised, as well as regular operator training of its own staff.

Legal and Communication Department

A.N.S.P.D.C.P.