ANSPDCP (Romania) - Fine against IKEA ROMÂNIA SA

From GDPRhub
ANSPDCP (Romania) - Fine against IKEA ROMÂNIA SA
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 14.10.2021
Published: 01.11.2021
Fine: 1000 EUR
National Case Number/Name: Fine against IKEA ROMÂNIA SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

THE ANSPDCP (Romanian DPA) fined IKEA Romania approx €1,000 for a data breach where personal data was erroneously made available online on an IKEA members' platform. The incident affected the personal data of 114 data subjects, half of which were minors.

English Summary


The controller IKEA Romania organised a drawing contest for the children of 'IKEA Family' members. To join the contest, the legal guardians of the children had to upload the drawings, their consent, and participation forms. These forms included their own personal data (name, surname, city, country, email, IKEA membership number, and handwritten signature), and their children's personal data (name, surname, and age).

The drawings were then published on the online platform, to vote for the contest winner. However, in doing so, IKEA also erroneously published the participation forms, which included the personal data of the participants (children and their legal guardians). This data breach was then notified to the Romanian DPA.


The DPA started an investigation and found that the personal data of 114 data subjects (out of which half were minors) was erroneously published and left available online for 40 hours on the dedicated platform for 'IKEA Family' members. Hence, this affected the confidentiality of the personal data, in breach of Article 32(1)(b) GDPR and Article 32(2) GDPR. The DPA emphasised, referring to recital 38, that children need specific protection of their personal data, and fined IKEA Romania for approx €1,000 (RON 4948.8).


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

01.11.2021 & # 13;
RGPD & # 13;
& # 13;
The National Supervisory Authority completed on 14.10.2021 an investigation at the operator IKEA ROMANIA SA, following which it was found the violation of the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation. & # 13;
As such, the operator was sanctioned with a fine of 4948.80 lei (equivalent to 1,000 EURO). & # 13;
The investigation was started as a result of the transmission by IKEA ROMANIA SA to the National Authority for the Supervision of Personal Data Processing of a notification of personal data security breach. & # 13;
Thus, according to the mentions in the notification form, IKEA ROMANIA SA organized a drawing contest in which the children of IKEA Family members participated. The participants uploaded in the online platform dedicated to the members their own drawings, together with the participation forms, which contained their personal data but also that of the parents / legal guardians, including their consent. In order to vote for the best drawing, the children's drawings were published on the online platform, by mistake, together with the personal data included in the participation forms. & # 13;
At the time of the investigation, it was found that the security incident led to the unauthorized disclosure of personal data of IKEA Family members (name, surname and age of minors, name, surname, city, country, e-mail, membership number IKEA Family and the handwritten signature of the parent / legal guardian), on the online platform dedicated to IKEA Family members in Romania, accessible only to them, for about 40 hours, affecting a number of 114 individuals (half of them minors) . & # 13;
As such, it was found that this incident led to the compromise of data confidentiality, in violation of the provisions of art. 32 para. (1) lit. b) and para. (2) of the RGPD. & # 13;
In this context, we emphasize that, according to recital 38 of the RGPD, “Children need specific protection of their personal data, as they may be less aware of the risks, consequences, safeguards involved and their rights regarding the processing. personal data. This specific protection should apply in particular to the use of children's personal data for marketing purposes or to the creation of personality or user profiles and to the collection of personal data concerning children when using services provided directly to children. "& # 13;
& # 13;
Legal and Communication Department & # 13;