ANSPDCP (Romania) - Fine against Dante International SA (eMAG) - no 3

From GDPRhub
ANSPDCP - Fine against Dante International SA (eMAG) - no 3
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 6(1)(a) GDPR
Article 12(2) GDPR
Article 13(1)(e) GDPR
Article 13(1)(f) GDPR
Article 13(1)(c) GDPR
Article 14(1)(c) GDPR
Article 14(1)(e) GDPR
Article 14(1)(f) GDPR
Article 17(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 20.06.2023
Fine: 40000 EUR
Parties: Dante International SA, also known as Emag
National Case Number/Name: Fine against Dante International SA (eMAG) - no 3
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined Dante International SA approximately €40,000 for infringements related to data subject rights, including the automatic rejection of erasure request and the failure to rectify email an address upon request.

English Summary

Facts

The controller, Dante International SA, owns the biggest online retailer in Romania (eMAG) and has websites available in three different languages: Romanian, Hungarian, and Bulgarian.

The controller received three different data subject requests regarding their Hungarian website:

Firstly, an account deletion: the request was sent to the controller's generic email address. In response, the controller asked the data subject to send their request dated and signed on paper and then scanned or photographed via email.

Secondly, data erasure: the data subject sent their request to 3 different email addresses and via an online contact form. However, all of the requests were automatically rejected as a third party email security provider considered them as coming from an unsafe domain.

Thirdly, data rectification: a data subject requested to have their email address updated. Even if their request was initially confirmed by the controller, the data subject still received communications to its former email address.

The three data subjects filed complaints with the Hungarian Data Protection Authority which referred them to the Romanian Authority in its quality of lead supervisory authority according to Article 60 GDPR.

Holding

The Romanian Authority accepted the request, consulted with the Hungarian Authority according to the procedure under Article 60 GDPR, and held the following:

Firstly, for the account deletion request, the controller did not regularly train its employees with regard to data subject right requests. The training in place was deemed insufficient to satisfy the requirements of Article 24 GDPR.

Secondly, for the erasure request, the lack of a unified channel for receiving data subject requests lead to disproportionate restrictions of data subject rights. The DPA noted that the privacy notice of the controller did not include any information regarding processing performed by third parties and the transfer of the data to third countries, in breach of Articles 13(1) (c), (e), (f), and 14(1) (c), (e),( f) GDPR.

Thirdly, regarding the rectification request, the authority held that the controller did not have an appropriate legal basis (consent) to use the old email address of a data subject for electronic communications.

Considering the above mentioned reasons, the DPA held that the controller:

  • did not handle data subject rights requests in accordance with Articles 12(2) and 17(1) GDPR;
  • failed to inform data subjects about the third parties processing, and the international data transfers in breach of Articles 13(1) (c), (e), (f), and 14(1) (c), (e),( f) GDPR; and
  • did not rely on the appropriate legal basis for processing a data subject's old email address after a rectification request in breach of Article 6(1)(a) GDPR.

The DPA therefore issued a fine of a total amount of approx. €40,000 along with an order to apply coercive measures, including providing information to the data subjects on the website, anonymize some data and organize training for the employees about how to handle data subject rights requests.

Comment

This is amongst the highest fines issued by the Romanian Authority and one of the factors that led to this fine were the previous fines issued against the same controller:

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

20.06.2023

Penalty for GDPR violation



Based on the cooperation mechanisms provided by Regulation (EU) 2016/679, the National Supervisory Authority was notified by the data protection authority (DPA) of Hungary regarding the complaints made by three natural persons from this state against Dante International SA.

DPA Hungary considered the National Supervisory Authority to be the main authority in this case, given the fact that this company has its main headquarters in Romania.

The National Supervisory Authority accepted the proposal to act as the main supervisory authority considering the fact that Dante International SA established, through the emag website (with versions in the official language of three countries: Romania, Hungary and Bulgaria), the achievement of personal data processing operations in the context of ordering the products they sell online (directly or through partners).

Thus, during the investigations carried out by the National Supervisory Authority for the resolution of the 3 reported cases, the following aspects were found:

1. In the first case, a petitioner requested the deletion of the account created on emag.hu, sending a correspondence to this effect to the address info@emag.hu. Through the response received from this address, the petitioner was requested to send a dated and signed (scanned or photographed) application to the address data.protection@emag.ro.

During the investigation carried out to resolve this complaint, the National Supervisory Authority found a lack of regular and adequate training by Dante International SA of the employees of the group, regarding the procedure to be followed in order to resolve the requests of the persons concerned.

It was found that the training of the staff of the Hungarian entity is carried out, mainly, upon employment, and within each entity within the group, and subsequently, only in "specific and specialized situations at the departmental level".

However, according to art. 24 of the GDPR, the operator is obliged to implement appropriate technical and organizational measures, including adequate data protection policies, to guarantee and be able to demonstrate that the processing is carried out in accordance with the GDPR. These policies should adequately address the handling of requests received from data subjects and the implementation of regular training sessions for staff involved in the processing of personal data.

2. In the second case, another petitioner requested the deletion of his data to several e-mail addresses of the operator (data.protection@emag.ro, to info@emag.hu, to data.protection@emag .hu) and, including, through the contact form on his website, but this was not possible, since the emag servers rejected his request as coming from an untrustworthy address.

Regarding the automatic rejection of the petitioner's requests, the operator claimed that its servers use public lists provided by a third party, over which it has no control, and that situation was possibly generated by the poor/bad reputation of the @freemail.hu service from the time when the petitioner sent those requests to Dante.

The situation found in this case proved that the establishment of a unique and exclusive communication channel that the data subjects can use, as well as the lack of adequate information regarding certain limitations from a technical point of view, can lead to the unjustified restriction of rights them.

It was also found that the information on the emag.hu website did not contain complete information on transfers to third countries, the purposes and recipients in this context, according to the provisions of art. 13 para. (1) lit. c), e), f) and art. 14 para. (1) lit. c), e), f) of the GDPR.

Following the investigation, the operator modified its personal data processing policy published on the emag websites, giving the persons concerned the opportunity to send requests based on the RGPD both by e-mail (to an address such as data.protection@emag. hu), as well as by mail/courier to a physical address in that state.

3. Another petitioner complained that one of his e-mail addresses was still being processed by Dante, even though he had requested to replace it with another e-mail address.

During the investigation carried out, it was found that, although the rectification request was initially resolved positively, when the operator confirmed to the petitioner the rectification of his e-mail address, that address continued to be processed by Dante, in the context of a longer correspondence carried with the petitioner.

Since it was found that the petitioner's e-mail address was still saved in the database for the purpose of fulfilling the legal obligation to keep the accounting supporting documents, in consideration of the electronic invoices previously sent, the Supervisory Authority considered that this purpose of the processing differs from the one related to the settlement of complaints, so that the reactivation of this address and its use in electronic correspondence would have been possible only on the basis of the consent of the person concerned, provided by art. 6 para. (1) lit. a) from Regulation (EU) 2016/679.

In relation to the aspects presented above, the Supervisory Authority found the following:

Dante International SA violated the provisions of art. 12 para. (2), related to art. 17 of the GDPR, as well as the provisions of art. 17 para. (1) of the GDPR, regarding the operator's obligation to facilitate the exercise of the rights of data subjects and to delete their data without undue delay; Dante International SA violated the provisions of art. 13 para. (1) lit. c), e), f) and art. 14 para. (1) lit. c), e), f) of the RGPD, since at the time of the start of the investigation, the information on the emag.hu website did not contain complete information on transfers to third countries, the purposes and recipients of the data in this context; Dante International SA violated the provisions of art. 6 para. (1) lit. a) of the RGPD, as it continued to process the e-mail address of a data subject in the course of correspondence with him, after the request for its rectification, without his consent.

The National Supervisory Authority has assessed that the circumstances of the cases mentioned above present a degree of gravity that requires the application of a sanction with a fine against the operator. The cases were analyzed from the point of view of the criteria for individualizing the fines provided for in Article 83 paragraphs (2) and (3) of the GDPR, resulting in the following:

-         the nature, seriousness and duration of the violation - non-compliance with the transparency conditions provided for by art. 12 of the GDPR regarding the facilitation of the exercise of the rights of data subjects at the level of the company in Hungary (part of the Dante group) and implicitly, the immediate non-adoption of measures to delete personal data in the case of two data subjects from this country, according to art. 17 of the GDPR; failure to provide complete information on the emag.hu website in relation to the transfer of data to third countries, according to art. 13 and 14 of the GDPR; the policy for managing the requests of data subjects to exercise the rights provided for by the RGPD, which, at least in the case of the Hungarian company, limited the ways of submitting requests to a single communication channel (a dedicated email address);

-         the negligent nature of the fault of the operator in these cases;

-         the remedial measures of some of the reported issues, adopted by the operator during the investigations undertaken by the DPA Hungary and the ANSPDCP, both in the particular cases of the petitioners, as well as regarding the general procedures applied by the operator;

-         the types of personal data processed in the case of applicants – specific personal data for taking an online order, payment and delivery of the ordered product (mainly, name, surname, e-mail address, telephone number, delivery and/or billing address);

- the existing previous sanctions, applied by ANSPDCP against Dante International SA.

Thus, following the investigations carried out, the National Supervisory Authority informed the other supervisory authorities, including the Hungarian authority, in an informal consultation procedure, based on art. 60 of Regulation (EU) 2016/679, regarding the conclusions resulting from the investigations carried out in the three cases with cross-border impact, as well as regarding the draft decision drawn up by our institution.

Following the proposals submitted by DPA Hungary, the National Supervisory Authority issued the final decision, according to the provisions of art. 60 of Regulation (EU) 679/2016.

Therefore, considering the fact that Dante International SA carries out cross-border processing, the provisions of art. 60 of Regulation (EU) 679/2016, as well as those of art. 16 para. (3), (5), (6), (7) from Law no. 102/2005, republished, which provides for the application of sanctions/corrective measures by decision of the president of ANSPDCP, which is based on the report of findings and the report of the control staff.

As such, Dante International SA was sanctioned for contravention:

1. with a fine of 148,830 lei (the equivalent of 30,000 EURO) for violating the provisions of art. 12 para. (2) and of art. 17 para. (1) from Regulation (EU) 2016/679;

2. with a warning for violating the provisions of art. 13 para. (1) lit. c), e), f) and art. 14 para. (1) lit. c), e), f) from Regulation (EU) 2016/679;

3.        with a fine in the amount of 49,610 lei (the equivalent of 10,000 EURO) for violating the provisions of art. 6 para. (1) lit. a) from Regulation (EU) 2016/679.

At the same time, under art. 58 para. (2) lit. d) from Regulation (EU) 2016/679, the Supervisory Authority ordered the following corrective measures against the operator:

to ensure complete information of the persons concerned, by providing all the information provided by art. 13 and 14 of Regulation (EU) 2016/679, including in the context of the transfer of personal data to third countries, information to be available on emag websites managed by the operator, in the national language version of each country; to implement an anonymization method to prevent the risk of re-identification of persons whose personal data are subject to this procedure, according to art. 32 of Regulation (EU) 2016/679; to order regular training measures for the staff of the companies that are part of the Dante group of companies (from Romania, Hungary and Bulgaria) regarding the procedure that must be followed in order to correctly resolve the requests submitted by the persons concerned based on Regulation (EU) 2016/679.



Legal and Communication Department

A.N.S.P.D.C.P.