ANSPDCP (Romania) - Fine against Vodafone Romania SA
| ANSPDCP - Fine against Vodafone Romania SA | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 12(3) GDPR Article 15 GDPR Article 17 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 16.09.2024 |
| Fine: | 14,930 RON |
| Parties: | Vodafone Romania SA |
| National Case Number/Name: | Fine against Vodafone Romania SA |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | fb |
The DPA fined Vodafone Romania €3,000 after it failed to act on an access and deletion request.
English Summary
Facts
The data subject sent the controller, a mobile phone operator, an access request and a deletion request.
The controller did not reply to the data subject within the time frame set by Article 12(3) GDPR.
Therefore, the data subject filed a complaint with the DPA. Only after the DPA started an investigation on the controller, the latter acted on the data subject's requests.
Holding
The DPA noted that the controller failed to act on the data subject's access and deletion request without undue delay and, in any case, within one month from the request.
Therefore, it found a violation of Article 12(3) GDPR in combination to Article 15 and 17 GDPR.
On these grounds, it issued a fine of RON 14,930 (€3,000) and ordered the controller to adopt an internal procedure on how to deal with requests submitted by data subjects under the GDPR within the legal deadlines.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
16.09.2024 Sanctions for GDPR violations The National Supervisory Authority completed investigations at two operators and found a violation of the provisions of art. 12 para. (3), art. 15 and art. 17 of the General Data Protection Regulation (RGPD). As such, the operators were sanctioned as follows: 1. The Vodafone Romania SA operator was fined 14,930 lei (the equivalent of 3,000 EURO) for contravention. The sanction was applied as a result of a complaint claiming that the operator did not respond to the request through which the petitioner exercised his rights of access and erasure provided by the RGPD. In the course of the investigation, the National Supervisory Authority found that Vodafone Romania SA did not prove that it had sent a response to the petitioner to his request to exercise access and deletion rights within 30 days, the response being communicated to him by the operator after the steps have been taken by our institution. In this context, the operator Vodafone Romania SA was fined for violating the provisions of art. 12 para. (3), art. 15 and art. 17 of the GDPR. At the same time, the operator Vodafone România SA was also applied the corrective measure of adopting an internal procedure regarding the way of resolving the requests submitted by the persons concerned under the RGPD (art. 12-22), to comply in all cases with the applicable provisions regarding the analysis and the resolution of these requests without delay and the communication of answers to the persons concerned within the legal terms, as well as to regularly train the staff. 2. The operator SC Class IT Outsourcing SRL was fined 4,976.7 lei (the equivalent of 1,000 EURO) for contravention. The investigation was started as a result of a complaint claiming that the operator did not respond to the request to exercise the right to deletion. During the investigation, the National Supervisory Authority found that the operator SC Class IT Outsourcing SRL did not prove that it sent a response to the petitioner to his request to exercise the right to deletion within 30 days, the response being sent to him after the actions by the supervisory authority. Thus, the operator SC Class IT Outsourcing SRL was fined for violating the provisions of art. 12 para. (3) and art. 17 of the GDPR. At the same time, the operator was also given the corrective measure of adopting an internal procedure on how to resolve requests submitted by data subjects under the GDPR (art. 12-22), to comply in all cases with the applicable provisions regarding the analysis and resolution without delay to these requests and the communication of answers to the persons concerned within the legal terms, as well as to regularly train the staff. Legal and Communication Department A.N.S.P.D.C.P.
