ANSPDCP (Romania) - 31.01.2024

From GDPRhub
Revision as of 16:14, 14 February 2024 by Ar (talk | contribs) (Good summary! Please remember to mention the fine in euros and to cite the GDPR articles according to the guidelines)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - 31.01.2024
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 58(1)(a) GDPR
Article 58(1)(e) GDPR
Article 58(2)(d) GDPR
Law 190/2018
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 16.07.2036
Fine: 10,000 RON
Parties: n/a
National Case Number/Name: 31.01.2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Ro DPA (in RO)
Initial Contributor: maxinescu

The Romanian DPA sanctioned the local municipality of 1st district, Bucharest, €2,010.38 for the failure to comply with the requests of the DPA to provide information and obtain access to personal data and information necessary for performing its tasks, pursuant to Article 58(1)(a) and (e) GDPR.

English Summary

Facts

The DPA initiated an investigation into the local municipality of the 1st district in Bucharest (the controller) after receiving several referrals alleging a possible infringement of the GDPR.

The notices regarded the financial incentives of the programme "Local measures to ensure energy needs and energy efficiency in households in Sector 1". By decisions of the Local Council, it was established how the inhabitants of Sector 1 could submit the necessary documents to benefit from the financial incentives of the programme: in physical format or via e-mail. However, the controller had made available also an online platform for data collection that had been purchased before the decision was approved by the Local Council.

Holding

During the investigation, the controller failed to respond to the Romanian DPA's repeated requests for information in accordance with the provisions of Article 58(1)(a) and (e) GDPR, which led to the DPA issuing a warning to the controller. At the same time, the DPA ordered the controller a remedial measure, namely, to provide all the requested information to the DPA.

Since the controller did not carry out the measures under the remediation plan within the deadline set by the authority, as the controller did not reply to the DPA request to provide the relevant documents and information, the latter imposed a fine of €2,010.38 for the failure to comply with the provisions of Article 58(1)(a) and (e) GDPR.

At the same time, during the investigation, in accordance with Article 58(2)(d) GDPR, the DPA also imposed on the controller the corrective measure to provide and communicate all the requested information, necessary to assess the aspects subject of the investigation.

Comment

Unfortunately, the Romanian DPA does not publish its full decisions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

31.01.2024

Penalty for GDPR violation



The National Supervisory Authority for the Processing of Personal Data completed in December 2023 an investigation at the operator Sector 1 of the Municipality of Bucharest and found a violation of the provisions of art. 58 para. (1) lit. a) and e) from Regulation (EU) no. 2016/679 and art. 14 para. (5) lit. e) from Law no. 190/2018.

As such, the operator was penalized with a fine of 10,000 lei.

The investigation was started as a result of notifications that claimed a possible violation of the provisions of Regulation (EU) no. 2016/679.

Thus, the operator of Sector 1 of the Municipality of Bucharest, through the decisions of the Local Council, established the way in which the inhabitants of Sector 1 can submit the necessary documents to benefit from the financial incentives of the program "Local measures aimed at ensuring energy needs and improving the efficiency of energy consumption in households from Sector 1", respectively in physical format or on an e-mail address, established strictly for the purpose of implementing the program. However, Sector 1 of the Municipality of Bucharest made available to the beneficiaries an online platform, https://ticheteanticriza.primarias1.ro, for data collection, purchased before the draft decision was debated and approved by the Local Council.

During the investigation, the operator did not respond to the repeated requests for information sent by the National Authority for the Supervision of Personal Data Processing.

Therefore, as the operator did not provide the information requested by our institution, considering the operator's status as a public institution according to the provisions of Law no. 190/2018, he was sanctioned with a warning. At the same time, it was ordered to apply a remedial measure consisting in the provision/communication of all the requested information.

Since the operator of Sector 1 of the Municipality of Bucharest did not carry out the previously ordered measure through a remedial plan, within the deadline set by the authority, the investigation continued.

Considering that the operator did not prove the fulfillment of the ordered remedial measure, the National Supervisory Authority for the Processing of Personal Data fined Sector 1 of the Municipality of Bucharest for violating the provisions of art. 58 para. (1) lit. a) and lit. e) from Regulation (EU) no. 2016/679 and art. 14 para. (5) lit. e) from Law no. 190/2018.

At the same time, during the investigation, in accordance with the provisions of art. 58 para. (2) lit. d) from Regulation (EU) no. 2016/679, the National Supervisory Authority for the Processing of Personal Data applied to the operator the corrective measure to provide/communicate all the requested information, necessary for the resolution of the reported issues.

Legal and Communication Department

A.N.S.P.D.C.P.