ANSPDCP (Romania) - One United Properties SA
| ANSPDCP - One United Properties SA | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 6 GDPR Article 12(3) GDPR Article 15 GDPR Article 17 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 20.03.2025 |
| Published: | |
| Fine: | 9,994 RON |
| Parties: | One United Properties SA |
| National Case Number/Name: | One United Properties SA |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Romanian |
| Original Source: | Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO) |
| Initial Contributor: | elu |
The DPA fined a real estate investor RON 9,994 (€2,000) for failing to prove consent to the use of personal data for telemarketing, and for failing to respond to data access requests.
English Summary
Facts
The DPA conducted an ex officio investigation in relation to the telemarketing activities of real estate investor One United Properties SA (the data controller).
The investigation revealed several unsolicited commercial messages were sent to different data subjects over a prolonged time period. The controller was not able to prove the consent of the data subjects to the processing of their data for marketing purposes. Additionally, some data subjects requested multiple time to access their data and to have a confirmation of whether their data was being processed or deleted. The controller did not respond to such access request by the data subject.
Holding
The DPA found that, by not being able to prove the consent of data subjects to the processing, the controller violated Article 6 GDPR.
In relation to the access request, the lack of reply within one month of reception of the request, hindered the exercise of rights of the data subject. Thus, the controller violated Article 12(3), 15 and 17 GDPR.
Therefore, the DPA found a violation of Articles 6, 12(3), 15 and 17 GDPR. For these reasons, the DPA imposed a fine of RON 9,994 (€2,000).
Additionally, the DPA ordered the controller to bring its direct marketing into compliance with the GDPR:
1. By no longer processing personal data without the consent of the data subjects and without the existence of any other legal basis for processing the data subjects' data, including for marketing purposes;
2. By training their staff on how to properly handle data subject access requests.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
20.03.2025 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed, in February 2025, an investigation at the operator ONE UNITED PROPERTIES S.A. and found a violation of the provisions of art. 6, art. 12 paragraph (3), art. 15 and art. 17 of Regulation (EU) 2016/679. As such, the operator was sanctioned as a contravention: - with a fine in the amount of 4,977.00 lei (equivalent to 1,000 EURO), for violating the provisions of art. 6 of Regulation (EU) 2016/679; - with a fine in the amount of 4,977.00 lei (equivalent to 1,000 EURO), for violating the provisions of art. 12 paragraph (3), art. 15 and art. 17 of Regulation (EU) 2016/679 . The investigation was initiated following petitions by a natural person claiming that the provisions of Regulation (EU) 2016/679 had been violated. During the investigation, the National Supervisory Authority for the Processing of Personal Data found that the operator had sent the data subject, over a certain period of time, unsolicited commercial messages. In this context, the operator had not provided evidence of the existence of consent obtained from the data subject for the processing of his or her personal data for marketing purposes, thus violating the provisions of art. 6 of Regulation (EU) 2016/679. At the same time, it was found that the data subject requested, through repeated requests, confirmation as to whether or not his personal data were being processed by the controller, as well as whether these data had been deleted, as he was receiving unsolicited commercial messages. Thus, it emerged that the controller had not provided proof of sending a response within the legal deadline of no more than one month to the requests to exercise the rights of access and deletion from the data subject. Consequently, the provisions of art. 12 para. (3), art. 15 and art. 17 of Regulation (EU) 679/2016 were violated. At the same time, pursuant to the provisions of art. 58 para. (2) let. c) and d) of Regulation (EU) 2016/679, the following corrective measures were also ordered against the operator: taking the necessary measures so that, in the future, the compliance of the processing operations with the provisions of Regulation (EU) 2016/679 is ensured, respectively, to avoid the processing of personal data without the consent of the data subjects and without the existence of another legal basis for the processing of the data subjects' data, including for marketing purposes, by referring to the provisions of art. 6 of Regulation (EU) 2016/679; adopting internal procedures regarding the manner of resolving requests submitted by the data subjects pursuant to the provisions of art. 12-22 of Regulation (EU) 2016/679, complying in all cases with the applicable provisions regarding the analysis and resolution of these requests and the communication of responses to the data subjects within the legal deadlines, as well as regular training of the operator's staff in this regard; sending a response to the data subject to requests to exercise the right of access and the right of deletion. Legal and Communication Department A.N.S.P.D.C.P.
