ANSPDCP (Romania) - 13.03.2023
|ANSPDCP - 13.03.2023|
|Relevant Law:||Article 12 GDPR|
Article 13 GDPR
|National Case Number/Name:||13.03.2023|
|European Case Law Identifier:||N/A|
|Original Source:||ANSPDCP (in RO)|
The Romanian DPA held that by requesting a written, dated and signed document to authenticate the data subject, the controller imposed excessive conditions on the exercise of a GDPR right, in violation of Articles 12 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject made an objection request to marketing communications received from a fashion retailer (the controller). The controller indicated that it would comply with the request, but continued sending marketing communications to the data subject.
The data subject filed a complaint with the Romanian DPA which started an investigation on that matter.
The investigation revealed that, in order to exercise their right, the data subject had to submit a written, dated and signed request. Moreover, it revealed that the information notice did not cover the information on data recipients, retention terms or the right to lodge a complaint to the DPA.
Holding[edit | edit source]
The DPA found that by requiring to the data subject to submit his request in a written, signed and dated form, the controller imposed excessive conditions for the exercise of the data subjects' rights, in breach of Articles 12. Also, the DPA found that the data controller violated Article 13 GDPR since the information notice did not provide complete, correct, accurate, and updated information.
The DPA imposed a fine of RON 9871 (approximately €2000) for these violations. In accordance with Article 58(2)(d) GDPR, the DPA also imposed corrective measures.
First, the DPA ordered the data controller to facilitate the exercise of data subjects' rights by removing the excessive condition of requesting the data subjects to submit a "written, dated and signed" request, when exercising their rights.
Second, it ordered the controller to take appropriate measures in order to comply with the GDPR provisions, so that, in the future, the personal data used for direct marketing will only be processed based on the data subject's consent, to implement related internal procedures in this respect and to amend the relevant sections on the website to reflect such flow.
Third, the DPA ordered the data controller to amend its information notice, in order to provide the data subjects complete, correct, accurate and updated information in respect to the processing of their data.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
In January of the current year, the National Supervisory Authority completed an investigation at the Modaone SRL operator, during which it found a violation of the provisions of art. 12 and art. 13 of the General Data Protection Regulation. As such, the company Modaone SRL was fined in the amount of 9871 lei (the equivalent of 2000 EURO). The investigation was started as a result of a complaint submitted by a concerned person, in which he complained that commercial messages were sent to his e-mail address from www.kalapod.net, in violation of the right of opposition, although it was previously communicated that such messages will no longer be sent to him. During the investigation, it was found that Modaone SRL, owner of www.kalapod.net, does not provide complete, correct, accurate and updated information regarding the processing of the personal data of the persons concerned, as provided by art. 13 of the RGPD (e.g.: recipients of personal data, storage period, the right to file a complaint with the supervisory authority), imposing, at the same time, excessive conditions for the exercise of rights by the persons concerned, thus violating the provisions of art. 12 and art. 13 of the GDPR. At the same time, under art. 58 para. (2) lit. d) from the General Data Protection Regulation, the following corrective measures were ordered against the operator: - taking appropriate measures in order to comply with the provisions of the RGPD, so that, in the future, the personal data of the persons concerned will be processed for the purpose of direct marketing aimed at the use of electronic communication services (e-mail, telephone), only with obtaining consent express and prior to them, including the adoption of procedures in this regard and the corresponding modification of the applicable sections on the kalapod.net website; - modification of the "Terms and conditions" section on the kalapod.net website so that the persons concerned are provided with complete, correct, accurate and updated information regarding the processing of personal data; at the same time, the excessive condition of sending the request "written, dated and signed" in the case of their transmission by e-mail, as well as the excessive condition of requesting a copy of the identity document in order to exercise the rights provided by the GDPR, will be eliminated. Legal and Communication Department A.N.S.P.D.C.P.