ANSPDCP (Romania) - 19.04.2023

From GDPRhub
ANSPDCP - 19.04.2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 19.04.2023
Fine: 3000 EUR
Parties: Salvati Romania Union Party (USR)
National Case Number/Name: 19.04.2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Marta.Tudor

The Romanian DPA fined Salvati Romania Union Party (USR) €3,000 for publishing data on its website in violation of Article 5(1)(a), (b) and Article 6 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The Romanian Ombudsman forwarded to the Romanian DPA, several notifications. These notifications were mentioning that Salvati Romania Union Party (in Romanian: Partidul Salvati Romania - USR), the controller, published on its website personal data belonging to several data subjects. These data included the data subjects' degrees of disability.

Following such, the Romanian DPA started an investigation. It revealed that the data controller operator collected the personal data i.e. name, surname, personal numerical code (a unique 13 digits number assigned to Romanians and Romanian residents), address, identity card number, medical certificate number, degree of disability, from official documents of authorities and public institutions and later published them on the party's website, as part of a project.

Holding[edit | edit source]

The Romanian DPA found that the data controller could not rely on any legal basis for the processing at stake. It therefore violated the provisions of Article 5(1)(a) and (b) in conjunction with Article 6 GDPR.

As such, the data controller was fined 14,776.50 RON (the equivalent of €3,000).

The Romanian DPA also ordered to anonymize the data published on the controller's website.

Comment[edit | edit source]

Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

19.04.2023

Penalty for GDPR violation

In March of this year, the National Supervisory Authority completed an investigation at the operator Union Save Romania Party and found a violation of the provisions of art. 5 para. (1) lit. a) and b) in conjunction with art. 6 of the General Data Protection Regulation (RGPD).

As such, the Save Romania Union Party (USR) was fined 14,776.50 lei (the equivalent of 3,000 EURO).

The sanction was applied as a result of notifications, forwarded by the People's Advocate institution, complaining that personal data belonging to people with different degrees of disability are posted on the website of the Union Save Romania Party.

During the investigation carried out, it was found that the operator took personal data of some concerned persons, i.e. name, surname, CNP, address, series and identity card number, medical expertise certificate number, degree of disability, from the official documents of authorities and public institutions, posted on their websites, later publishing them on the party's website, as part of a USR project, in violation of the principles of processing, without having a legal basis for that processing.

At the same time, the operator was also applied the corrective measure to ensure compliance with the principles of the RGPD when carrying out personal data processing operations, by reanalyzing the documentation published on the website hcl.usr.ro, which contains the decisions, provisions and minutes issued by local public authorities, in order to anonymize personal data.

Legal and Communication Department

A.N.S.P.D.C.P.