ANSPDCP (Romania) - Fine against Telekom România Communications SA 4
|ANSPDCP (Romania) - Fine against Telekom România Communications SA 4|
|Relevant Law:||Article 5(1)(d) GDPR|
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 17 GDPR
|Parties:||Telekom România Communications SA|
|National Case Number/Name:||Fine against Telekom România Communications SA 4|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
|Initial Contributor:||Diana Rosu|
The Romanian DPA imposed a fine on Telekom Romania of approximately €6.000 for collecting and processing inaccurate personal data, violating Article 5(1)(d), Article 5(1)(f) and Article 5(2), and ignoring a data subject's erasure request in breach of Article 17 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller is Telekom Romania, one of the biggest telecommunication providers in Romania. The data subject is a customer of the controller. They filed a complaint with the DPA after the controller erroneously sent them e-mail invoices and notifications that were issued for another customer. The DPA started an investigation and found that the situation was caused because the controller collected inaccurate data from one of its clients. Moreover, the DPA found that the controller did not take necessary measures to enforce an erasure request pursuant to Article 17 GDPR.
Holding[edit | edit source]
First, the DPA held that controller violated Article 5(1)(d), Article 5(1)(f) and Article 5(2), because it collected inaccurate data and sent invoices and notifications containing personal data to the wrong recipient. For these violations, the DPA imposed a fine of approximately €5.000 (RON 24.745). Second, the DPA found that controller violated Article 17 GDPR because it ignored the data subject's erasure request. For this violation, the DPA imposed a fine of approximately €1.000 (RON 4.949). Hence, in total, the fine was approximately €6.000 (RON 29.694).
Additionally, the DPA applied two corrective measures. The DPA ordered the controller to bring its processing operations into compliance with GDPR by implementing efficient measures which would guarantee the accuracy of personal data at the moment of the collection. Moreover, it ordered the controller to comply with data subjects' erasure and rectification requests, by adopting effective technical and organisational measures which will guarantee the correct implementation of such changes.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
06.12.2021 & # 13; RGPD & # 13; & # 13; The National Supervisory Authority completed in November 2021 an investigation at the operator Telekom Romania Communications SA following which it was found the violation of the provisions of art. 5 para. (1) lit. d) and f) and par. (2), as well as of art. 17 of the General Data Protection Regulation (RGPD). & # 13; The operator of Telekom Romania Communications S.A. was fined as follows: & # 13; & # 13; fine in the amount of 24,745 lei, the equivalent of 5,000 euros, for violating the provisions of art. 5 para. (1) lit. d) and f) and par. (2) of the RGPD; & # 13; fine in the amount of 4,949 lei, the equivalent of 1,000 euros, for violating the provisions of art. 17 of the RGPD. & # 13; & # 13; The investigation was initiated as a result of a complaint made by a data subject claiming the receipt, from the operator Telekom Romania Communications SA, on his e-mail address, of some invoices and notification messages regarding the arrears accumulated by a another person, a subscriber of the same company. & # 13; During the investigation, the National Supervisory Authority found that the operator had incorrectly collected and processed certain inaccurate personal data, which also led to the illegal disclosure of personal data to another individual, which is a violation of the principles of personal data processing, enshrined in art. 5 para. (1) lit. d) and f) and par. (2) of the General Data Protection Regulation. & # 13; At the same time, during the investigation, it was found that the operator did not adopt the necessary measures to comply with the request for deletion made, according to art. 17 of the General Data Protection Regulation. & # 13; The following corrective measures were also applied to the operator: & # 13; & # 13; to ensure the compliance with RGPD of the operations of collection and further processing of personal data, by implementing efficient methods to ensure the accuracy of data, including in the case of data collection, such as e-mail address, which allow remote communication of personal data. In this regard, it has been decided to put in place adequate and effective security measures, both from a technical point of view (such as: automated data collection, securing the transmission of documents and messages by encryption / password), and from a technical point of view. from an organizational point of view, through regular training of data controllers under the authority of the operator; & # 13; to ensure compliance with the RGPD in case of requests for deletion or rectification of personal data, by adopting appropriate technical and organizational measures to ensure the effective and correct implementation of these operations in the database (s) used by the operator and his authorized persons , as well as appropriate training of data controllers under their authority. & # 13; & # 13; In this context, it is noted that recital (65) of the General Data Protection Regulation stated that "The data subject should have the right to rectification of personal data concerning him / her and" the right to be forgotten "if that the storage of such data infringes this Regulation or Union law or the national law to which the operator belongs. (...) ”& # 13; & # 13; Legal and Communication Department & # 13; A.N.S.P.D.C.P.