ANSPDCP (Romania) - Noy Business Transactions SRL
| ANSPDCP - Noy Business Transactions SRL | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 12(1) GDPR Article 12(2) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 15(3) GDPR Article 17 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 11.03.2025 |
| Fine: | 4,977.3 RON |
| Parties: | Noy Business Transactions SRL |
| National Case Number/Name: | Noy Business Transactions SRL |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO) |
| Initial Contributor: | elu |
The DPA fined an hotel RON 4,977.3 (€1,000) due to their failure to respond to a data subject’s access and erasure request for video recordings from their hotel visit.
English Summary
Facts
A data subject filed a complaint before the DPA of an alleged violation of the GDPR by an hotel, the controller. The complaint concerned the lack of reply to an access and erasure request by the data subject with regards to recordings of the video cameras, from the period of their stay, at the hotel where they was staying, belonging to the controller.
The DPA decided to start an investigation, which revealed that the controller did not forward the access request within their legal team.
Holding
The DPA held that the lack of communication from the controller within their legal team hindered the exercise of the data subject’s right of access and erasure.
Thus, the DPA found a violation of Articles 12(1), (2), (3), (4) GDPR, Article 15(3) GDPR and Article 17 GDPR and thus imposed a fine of RON 4,977.3 (€1,000).
Additionally, the DPA imposed the following to the controller:
- To effectively reply to the data subject’s access request;
- To adopt the necessary technical and organisational measures, such as the proper training of their personnel, so that the controller can analyse, settle correctly and respond appropriately to access requests by data subjects.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
11.03.2025 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed, in February 2025, an investigation at the operator Noy Business Tranzactions SRL and found a violation of the provisions of art. 12 para. (1)-(4) in relation to art. 15 para. (3) and art. 17 of Regulation (EU) 2016/679. As such, the operator was fined a fine of 4,977.3 lei (equivalent to 1,000 EURO). The investigation was initiated following a complaint alleging a possible violation of the provisions of Regulation (EU) 2016/679. Thus, a client complained that the operator did not provide a response to his request by which he exercised his right of access to his personal data (image), requesting the video camera recordings from his stay at the hotel where he was accommodated, belonging to the operator. During the investigation, the National Supervisory Authority for Personal Data Processing found that the operator did not provide an adequate and complete written response within the legal deadline to the person's request, by which he had exercised both the right of access and the right to erasure of his data. As such, it was established that the provisions of art. 12 para. (1)-(4) of Regulation (EU) 2016/679, in relation to art. 15 para. (3) and art. 17 of the same European act, were violated. At the same time, the following corrective measures were also ordered towards the operator: to send a complete response to the request of the data subject, to the contact details indicated by him, by securely communicating the requested personal data, to the extent that they are still available, as well as information regarding the deletion of the data, by reporting to the provisions of art. 15 para. (3) and (4), art. 17, in conjunction with art. 12 of Regulation (EU) 2016/679; to ensure compliance with Regulation (EU) 2016/679 of the personal data processing operations, by adopting the necessary technical and organizational measures, including in terms of appropriate training of the staff designated for this purpose, so that the operator is able to analyze, correctly resolve and respond appropriately to the requests by which the data subjects exercise their rights, within the deadlines and according to the conditions provided for in art. 12-23 of Regulation (EU) 2016/679. Legal and Communication Department A.N.S.P.D.C.P.
