ANSPDCP (Romania) - Fine against IKEA Romania S.R.L.: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(One intermediate revision by one other user not shown)
Line 53: Line 53:
}}
}}


The Romanian DPA issued a fine of €1000 against IKEA Romania S.R.L. for not granting a data subject's right to erasure of his personal data and IKEA account, in violation of [[Article 17 GDPR|Articles 17]], [[Article 12 GDPR#1|12(1) GDPR]] and [[Article 12 GDPR#3|12(3) GDPR]].
The Romanian DPA issued a fine of €1000 against IKEA Romania S.R.L. for not complying with a data subject's request to erase his personal data and IKEA account, in violation of [[Article 17 GDPR|Articles 17]], [[Article 12 GDPR#1|12(1) GDPR]] and [[Article 12 GDPR#3|12(3) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In March 2022, a data subject filed a complaint with the Romanian DPA (ANSPDCP) against Ikea Romania S.R.L., claiming that he had repeatedly requested to exercise his right to have his personal data deleted from an Ikea user account associated to his e-mail address, and that the controller had not granted these requests.
In March 2022, a data subject filed a complaint with the Romanian DPA (ANSPDCP) against IKEA Romania S.R.L., claiming that he had repeatedly requested to exercise his right to have his personal data deleted from an Ikea user account associated to his e-mail address, and that the controller had not granted these requests.


=== Holding ===
=== Holding ===
The ANSPDCP held that Ikea did not provide proof that it had replied within the legal deadline to the data subject’s request to exercised his right to erasure provided for in [[Article 17 GDPR|Article 17 GDPR]], which constitutes a breach of [[Article 12 GDPR#1|Articles 12(1)]] and [[Article 12 GDPR#3|12(3) GDPR]].  
The ANSPDCP held that IKEA did not provide proof that it had replied within the legal deadline to the data subject’s request to exercise his right to erasure provided for in [[Article 17 GDPR|Article 17 GDPR]], which constitutes a breach of [[Article 12 GDPR#1|Articles 12(1)]] and [[Article 12 GDPR#3|12(3) GDPR]]. Based on these violations, the ANSPDCP issued a fine of approximately €1000 (4,949 lei) against the IKEA. The ANSPDCP also ordered IKEA to take the necessary measures to ensure that it handles these requests in compliance with GDPR.  
 
Based on these violations, the ANSPDCP issued a fine of approximately €1000 (4,949 lei) against Ikea. The ANSPDCP also ordered Ikea to take the necessary measures to ensure that it handles these requests and grants data subject’s access rights in compliance with GDPR.
== Comment ==
== Comment ==
''Share your comments here!''
''Share your comments here!''

Latest revision as of 16:43, 27 April 2022

ANSPDCP (Romania) - Fine against IKEA Romania S.R.L.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 12(1) GDPR
Article 12(3) GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 18.04.2022
Fine: 1000 EUR
Parties: n/a
National Case Number/Name: Fine against IKEA Romania S.R.L.
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Cesar Manso-Sayao

The Romanian DPA issued a fine of €1000 against IKEA Romania S.R.L. for not complying with a data subject's request to erase his personal data and IKEA account, in violation of Articles 17, 12(1) GDPR and 12(3) GDPR.

English Summary

Facts

In March 2022, a data subject filed a complaint with the Romanian DPA (ANSPDCP) against IKEA Romania S.R.L., claiming that he had repeatedly requested to exercise his right to have his personal data deleted from an Ikea user account associated to his e-mail address, and that the controller had not granted these requests.

Holding

The ANSPDCP held that IKEA did not provide proof that it had replied within the legal deadline to the data subject’s request to exercise his right to erasure provided for in Article 17 GDPR, which constitutes a breach of Articles 12(1) and 12(3) GDPR. Based on these violations, the ANSPDCP issued a fine of approximately €1000 (4,949 lei) against the IKEA. The ANSPDCP also ordered IKEA to take the necessary measures to ensure that it handles these requests in compliance with GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

18.04.2022

Sanction for violating the RGPD



The National Supervisory Authority completed, in March 2022, an investigation at the operator IKEA Romania S.R.L. and found a violation of the provisions of art. 12 para. (3) of the General Data Protection Regulation.

As such, the operator was sanctioned with a fine of 4,949 lei (equivalent to 1,000 EURO).

The investigation was initiated following a complaint by the data subject claiming that he had addressed the operator in order to delete a user account.

The investigation revealed that the data subject had repeatedly exercised his right to delete his personal data from an Ikea user account created on the basis of an e-mail address.

The National Supervisory Authority found that the operator IKEA Romania S.R.L did not prove that it sent within the legal term a response to the requests by which the data subject exercised his right of cancellation provided by art. 17 of the General Regulation on Data Protection, which constitutes a violation of the provisions of art. 12 para. (3) of the General Data Protection Regulation.

By art. 12 para. (3) of the General Data Protection Regulation provides:

"The operator shall provide the data subject with information on actions taken following a request under Articles 15 to 22, without undue delay and in any case within one month of receipt of the request. This period may be extended by two months where necessary, taking into account the complexity and number of applications. The operator shall inform the data subject of any such extension within one month of receipt of the request, stating the reasons for the delay. Where the data subject submits an application in electronic format, the information shall be provided in electronic format where possible, unless the data subject requests another format. "

At the same time, in the course of the investigation, the corrective measure was applied to the operator to take the necessary measures so as to respect, in all cases, the rights of data subjects under the General Data Protection Regulation.



Legal and Communication Department

A.N.S.P.D.C.P.