ANSPDCP (Romania) - 18.01.2023: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
 
No edit summary
Line 64: Line 64:


=== Facts ===
=== Facts ===
On an underdetermined date, a data subject issued a complaint against a controller operating in the electric household appliances industry to the Romanian DSA. The data subject argued that the controller had violated their right to right to erasure (‘right to be forgotten’) pursuant to [[Article 17 GDPR|Article 17 GDPR]].  
On an underdetermined date, a data subject issued a complaint to the Romanian DSA against a controller operating in the electric household appliances industry. The data subject argued that the controller had violated their right to erasure (‘right to be forgotten’) pursuant to [[Article 17 GDPR|Article 17 GDPR]].  


The DPA decided to investigate the matter.
The DPA decided to investigate the matter.

Revision as of 16:00, 24 January 2023

ANSPDCP - Press Communication 18/01/2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 18.01.2023
Fine: 4,918.60 RON
Parties: n/a
National Case Number/Name: Press Communication 18/01/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: n/a

The Romanian DPA fined a controller ca. €1000 for sending a data subject unsolicited commercial messages per SMS after the data subject had already requested the deletion of its data pursuant to Article 17 GDPR.

English Summary

Facts

On an underdetermined date, a data subject issued a complaint to the Romanian DSA against a controller operating in the electric household appliances industry. The data subject argued that the controller had violated their right to erasure (‘right to be forgotten’) pursuant to Article 17 GDPR.

The DPA decided to investigate the matter.

Holding

During its investigation, the Romanian DPA found that the controller had sent an SMS to the phone number of the data subject concerning the controller's commercial offers despite the fact that the data subject had previously requested the controller to delete all the data subject's personal data. The DPA came to the conclusion that the controller had not adopted all the necessary measures in order to comply with the data subject's request which resulted in the continuation of illegal data processing through the communication of unsolicited commercial messages.

Consequently, pursuant to its powers under Article 58(2)(d), the DPA ordered the controller to take technical and organizational measures to ensure that it would effectively respond to data subject's requests through which their rights are exercised. Moreover, pursuant to Article 58(2)(i) the DPA fined the controller 4,918.6 lei (ca. €1000).

Comment

Unfortunately, this summary is based on a press release of the Romanian DPA as the DPA does not publish its full decisions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

18.01.2023

Penalty for GDPR violation



In December 2022, the National Supervisory Authority completed an investigation at the operator Dante International SA and found a violation of the provisions of art. 17 of Regulation (EU) 2016/679.

As such, the operator was penalized for contravention with a fine of 4,918.6 lei (equivalent to 1000 EURO).

The investigation was started as a result of a notification sent by a concerned person, complaining that the operator Dante International SA, the owner of emag.ro, violated the right to delete personal data.

During the investigation carried out, it was found that the operator sent an SMS to the phone number of the person in question informing him about the company's commercial offers, although he had previously requested the deletion of the account and irrelevant data.

The National Supervisory Authority found that the operator Dante International SA did not adopt all the necessary measures to comply with the data subject's request to delete his personal data, so that he continued to process his data by sending unsolicited commercial messages.

At the same time, as part of the investigation, the operator was also given the corrective measure to take technical and organizational measures in order to ensure that it effectively responds to requests that exercise the rights of the data subjects provided for by Regulation (EU) 2016/679, including regarding the right to erasure.



Legal and Communication Department

A.N.S.P.D.C.P.