ANSPDCP (Romania) - 19.04.2023

ANSPDCP - 19.04.2023
Authority:	ANSPDCP (Romania)
Jurisdiction:	Romania
Relevant Law:	Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 6 GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:
Published:	19.04.2023
Fine:	3000 EUR
Parties:	Salvati Romania Union Party (USR)
National Case Number/Name:	19.04.2023
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Romanian
Original Source:	ANSPDCP (in RO)
Initial Contributor:	Marta.Tudor

Salvati Romania Union Party (USR) was fined €3,000 for violations of Article 5(1)(a), Article 5(1)(b) and Article 6 GDPR.

English Summary

Facts

The Romanian Ombudsman forwarded to the Romanian DPA, several notifications it received, complaining that Salvati Romania Union Party (in Romanian: Partidul Salvati Romania - USR) has posted on its website personal data belonging to people with different degrees of medical disability. Following such, the Romanian DPA started an investigation. It revealed that the data controller operator collected the personal data of some data subjects, i.e. name, surname, personal numerical code, address, series and identity card number, medical expertise certificate number, degree of disability, from the official documents of authorities and public institutions, posted on their websites and later published them on the unior party's website, as part of a project.

Holding

The Romanian DPA found that the data controller has violated the provisions of [Article 5 GDPR#1a|Article 5(1)(a)]], Article 5(1)(b) in conjunction with Article 6 GDPR, by performing such processing activities in breach of the processing priciples, without having a legal ground for the processing. As such, the data controller was fined 14,776.50 RON (the equivalent of €3,000). At the same time, the Romanian DPA also applied the corrective measure to ensure compliance with the GDPR principles when carrying out personal data processing operations, by reasessing the documentation published on the website hcl.usr.ro, which contains the decisions, provisions and minutes issued by local public authorities, in order to anonymize the personal data therein.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

19.04.2023

Penalty for GDPR violation

In March of this year, the National Supervisory Authority completed an investigation at the operator Union Save Romania Party and found a violation of the provisions of art. 5 para. (1) lit. a) and b) in conjunction with art. 6 of the General Data Protection Regulation (RGPD).

As such, the Save Romania Union Party (USR) was fined 14,776.50 lei (the equivalent of 3,000 EURO).

The sanction was applied as a result of notifications, forwarded by the People's Advocate institution, complaining that personal data belonging to people with different degrees of disability are posted on the website of the Union Save Romania Party.

During the investigation carried out, it was found that the operator took personal data of some concerned persons, i.e. name, surname, CNP, address, series and identity card number, medical expertise certificate number, degree of disability, from the official documents of authorities and public institutions, posted on their websites, later publishing them on the party's website, as part of a USR project, in violation of the principles of processing, without having a legal basis for that processing.

At the same time, the operator was also applied the corrective measure to ensure compliance with the principles of the RGPD when carrying out personal data processing operations, by reanalyzing the documentation published on the website hcl.usr.ro, which contains the decisions, provisions and minutes issued by local public authorities, in order to anonymize personal data.

Legal and Communication Department

A.N.S.P.D.C.P.