ANSPDCP (Romania) - Fine against SC Spark Car Sharing SRL

From GDPRhub
ANSPDCP - Fine against SC Spark Car Sharing SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1) GDPR
Article 7 GDPR
Article 17 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 25.10.2023
Fine: 1000 EUR
Parties: SC Spark Car Sharing SRL
National Case Number/Name: Fine against SC Spark Car Sharing SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a car sharing company approximately EUR 1,000 for sending marketing communications without a legal basis, and for continuing to send communications to a data subject after they submitted a data deletion request with the controller.

English Summary[edit | edit source]

Facts[edit | edit source]

The Romanian DPA started an investigation against a controller (a car sharing company), after one of the controller's customers filed a complaint. The data subject reported to the authority that they received several unsolicited marketing communications, even after they submitted a data deletion request with the controller, request which was acknowledged and confirmed by the controller.

Holding[edit | edit source]

During the investigation the controller was unable to prove that it processed the email address of its customers to send commercial communications in a lawful manner. As such, the Authority concluded that the controller processed the email addresses of their customers for direct mkt purposes without any legal basis (neither consent or another suitable legal basis) in breach of GDPR Articles 5(1)a and b, 6(1) and 7.

Additionally, the Authority identified that the controller continued to process the personal data of one data subject for direct marketing purposes, even after their deletion request was received, in breach of GDPR Article 17.

The controller was fined approximately EUR 1,000 and the Authority applied a corrective measure, requesting the controller to establish data processing practices in line with the consent requirements, when consent is the required legal basis.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

25.10.2023

Penalty for GDPR violation



The National Supervisory Authority for the Processing of Personal Data completed in October 2023 an investigation at the operator SC Spark Car Sharing SRL and found a violation of the provisions of art. 5 para. (1) lit. a) and b) related to art. 6 para. (1) and art. 7 and of art. 17 of Regulation (EU) no. 2016/679.

As such, the operator was penalized with a fine of 4,975.20 lei (equivalent to 1,000 EURO) and a warning.

The investigation was started as a result of a notification sent by a concerned person who claimed a possible violation of the provisions of Regulation (EU) no. 2016/679 by the operator SC Spark Car Sharing SRL, a car-sharing vehicle rental company through a computer application.

As part of the investigation, it turned out that the operator did not process the customer's email address for direct marketing purposes, neither on the basis of consent nor on any other legal basis.

It was also found that the individual requested the deletion of all his data from the application. Although the operator informed the customer that it would delete his data, he continued to send a series of marketing messages directly to his email address.

As such, the violation of the principles of personal data processing provided by art. 5 para. (1) lit. a) and b) by reference to art. 6 para. (1) and art. 7 of Regulation (EU) no. 2016/679 by the operator SC Spark Car Sharing SRL, which did not present any evidence to show that it processed the customer's e-mail address with his freely expressed and specific consent or on the basis of another legal basis and sent him more many commercial messages.

Also, during the investigation, it turned out that the operator used the client's e-mail address to send messages by e-mail, after exercising the right to delete data by the data subject, thus violating the provisions of art. 17 of Regulation (EU) no. 20016/679.

At the same time, as part of the investigation, the operator was also applied the corrective measure to ensure the compliance of personal data processing operations with compliance with the conditions regarding consent, for data processing that is based on consent as the legal basis of the processing.



Legal and Communication Department

A.N.S.P.D.C.P.