ANSPDCP (Romania) - 17-03-2023/1
|ANSPDCP - 17-03-2023/1|
|Relevant Law:||Article 5(1)(c) GDPR|
Article 5(2) GDPR
|Parties:||Alianța pentru Unirea Românilor|
|National Case Number/Name:||17-03-2023/1|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
The Romanian DPA fined a political party Є10,000 for collecting data through a membership form on its website without complying with the principle of data minimisation.
English Summary[edit | edit source]
Facts[edit | edit source]
A Romanian political party (Alianța pentru Unirea Românilor) had a membership form on its website. When a person filled in the form and signed it, their data was collected (name, address, phone number, ID card number...). One person reported this to the Romanian DPA, which opened an investigation.
Holding[edit | edit source]
As a result of its investigation, the DPA found that the data of a large number of individuals had been collected and processed in violation of the principle of data minimisation, resulting in a breach of Articles 5(1)(c) and 5(2) GDPR. Consequently, it fined the party RON49,115 (approximately Є10,000).
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
15.03.2023 penalties 1. In February of the current year, the National Supervisory Authority completed an investigation at the operator Alliance for the Romanian Union and found a violation of the provisions of art. 5 para. (1) lit. c) and para. (2) of the General Data Protection Regulation (RGPD). As such, the Alliance for the Union of Romanians was fined 49,115 lei, the equivalent of 10,000 EURO. The sanction was applied as a result of reports claiming that the operator collects personal data through a website, without informing the persons concerned and without fulfilling the conditions regarding the legality of the processing. During the investigation it was found that personal data (surname, surname, address, series and number of identity card, personal numerical code, telephone, signature) were collected by filling in and signing the online form on the respective website , by sending the downloaded/completed/signed form by post, as well as by completing and signing the form at the special centers organized by the Alliance for the Union of Romanians. This situation led to the processing of personal data of a significant number of concerned persons in violation of the principles of personal data processing provided for in art. 5 para. (1) lit. c) ("data minimization") and para. (2) of the GDPR ("responsibility"). 2. In February of the current year, the National Supervisory Authority completed another investigation at the operator Party Uniunea Salvați Romania and found a violation of the provisions of art. 32 para. (1) lit. a) and para. (2) of the General Data Protection Regulation (RGPD). As such, the Save Romania Union Party was fined 19,646 lei, the equivalent of 4,000 EURO. The investigation was started as a result of the transmission by the operator of personal data security breach notifications under the General Data Protection Regulation. The data breach occurred as a result of the loss of confidentiality and integrity of data stored in an operator's server hosting an application that was subjected to a phishing attack. During the investigation, it was found that the operator did not implement adequate technical and organizational measures to ensure an appropriate level of security, such as the encryption/pseudonymization of personal data stored in the respective application, which led to the loss of the confidentiality of the data processed by accessing unauthorized use of personal data such as name, surname, personal number code, e-mail, telephone number, political affiliation data. At the same time, the operator was also applied the corrective measure to ensure compliance with the RGPD of personal data processing operations, by implementing appropriate technical and organizational measures, as a result of the assessment of the risk for the rights and freedoms of individuals, including the work procedures regarding to the protection of personal data. Legal and Communication Department A.N.S.P.D.C.P.