ANSPDCP (Romania) - 19.04.2023
| ANSPDCP - 19.04.2023 | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 6 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 19.04.2023 |
| Fine: | 3000 EUR |
| Parties: | Salvati Romania Union Party (USR) |
| National Case Number/Name: | 19.04.2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | Marta.Tudor |
The Romanian DPA fined Salvati Romania Union Party (USR) €3,000 for publishing data on its website in violation of Article 5(1)(a), (b) and Article 6 GDPR.
English Summary
Facts
The Romanian Ombudsman forwarded to the Romanian DPA, several notifications. These notifications were mentioning that Salvati Romania Union Party (in Romanian: Partidul Salvati Romania - USR), the controller, published on its website personal data belonging to several data subjects. These data included the data subjects' degrees of disability.
Following such, the Romanian DPA started an investigation. It revealed that the data controller operator collected the personal data i.e. name, surname, personal numerical code (a unique 13 digits number assigned to Romanians and Romanian residents), address, identity card number, medical certificate number, degree of disability, from official documents of authorities and public institutions and later published them on the party's website, as part of a project.
Holding
The Romanian DPA found that the data controller could not rely on any legal basis for the processing at stake. It therefore violated the provisions of Article 5(1)(a) and (b) in conjunction with Article 6 GDPR.
As such, the data controller was fined 14,776.50 RON (the equivalent of €3,000).
The Romanian DPA also ordered to anonymize the data published on the controller's website.
Comment
Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
19.04.2023 Penalty for GDPR violation In March of this year, the National Supervisory Authority completed an investigation at the operator Union Save Romania Party and found a violation of the provisions of art. 5 para. (1) lit. a) and b) in conjunction with art. 6 of the General Data Protection Regulation (RGPD). As such, the Save Romania Union Party (USR) was fined 14,776.50 lei (the equivalent of 3,000 EURO). The sanction was applied as a result of notifications, forwarded by the People's Advocate institution, complaining that personal data belonging to people with different degrees of disability are posted on the website of the Union Save Romania Party. During the investigation carried out, it was found that the operator took personal data of some concerned persons, i.e. name, surname, CNP, address, series and identity card number, medical expertise certificate number, degree of disability, from the official documents of authorities and public institutions, posted on their websites, later publishing them on the party's website, as part of a USR project, in violation of the principles of processing, without having a legal basis for that processing. At the same time, the operator was also applied the corrective measure to ensure compliance with the principles of the RGPD when carrying out personal data processing operations, by reanalyzing the documentation published on the website hcl.usr.ro, which contains the decisions, provisions and minutes issued by local public authorities, in order to anonymize personal data. Legal and Communication Department A.N.S.P.D.C.P.
