ANSPDCP (Romania) - Fine against Telekom România Communications SA 4: Difference between revisions

ANSPDCP (Romania) - Fine against Telekom România Communications SA 4
Authority:	ANSPDCP (Romania)
Jurisdiction:	Romania
Relevant Law:	Article 5(1)(d) GDPR Article 5(1)(f) GDPR Article 5(2) GDPR Article 17 GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:
Published:	06.12.2021
Fine:	6000 EUR
Parties:	Telekom România Communications SA
National Case Number/Name:	Fine against Telekom România Communications SA 4
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Romanian
Original Source:	ANSPDCP (in RO)
Initial Contributor:	Diana Rosu

Telekom Romania was fined approximately €6.000 after collecting and processing inaccurate personal data in breach of Articles 5(1)(d), (f) and 5(2), and ignoring a data subject's erasure request in breach of Article 17.

English Summary

Facts

A data subject filed a complaint after Telekom Romania (one of the biggest telecommunication providers in the country) erroneously sent them e-mail invoices and notifications issued for another person.

The DPA started an investigation and found that the situation was caused due to the fact Telekom collected inaccurate data from one of its clients and it did not take necessary measures to enforce an erasure request.

Holding

The DPA decided that collecting inaccurate data and sending invoices and notifications containing personal data to the wrong recipient occurred in breach of GDPR's Article 5(1)d), f) and 5(2) and issued a fine of approximately €5.000 (RON 24.745).

Not answering the data subject's erasure request was in breach of GDPR's Article 17, and caused a fine of approximately €1.000 (RON 4.949).

Additionally, the DPA applied two corrective measures:

- it ordered the controller to bring its processing operations into compliance with the Regulation, by implementing efficient measures which would guarantee the accuracy of personal data at the moment of the collection;

- it ordered the controller to comply with the data subjects’ erasure and rectification requests, by adopting effective technical and organizational measures which will guarantee the correct implementation of such changes.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

06.12.2021 & # 13;
RGPD & # 13;
& # 13;
The National Supervisory Authority completed in November 2021 an investigation at the operator Telekom Romania Communications SA following which it was found the violation of the provisions of art. 5 para. (1) lit. d) and f) and par. (2), as well as of art. 17 of the General Data Protection Regulation (RGPD). & # 13;
The operator of Telekom Romania Communications S.A. was fined as follows: & # 13;
& # 13;
 fine in the amount of 24,745 lei, the equivalent of 5,000 euros, for violating the provisions of art. 5 para. (1) lit. d) and f) and par. (2) of the RGPD; & # 13;
 fine in the amount of 4,949 lei, the equivalent of 1,000 euros, for violating the provisions of art. 17 of the RGPD. & # 13;
& # 13;
The investigation was initiated as a result of a complaint made by a data subject claiming the receipt, from the operator Telekom Romania Communications SA, on his e-mail address, of some invoices and notification messages regarding the arrears accumulated by a another person, a subscriber of the same company. & # 13;
During the investigation, the National Supervisory Authority found that the operator had incorrectly collected and processed certain inaccurate personal data, which also led to the illegal disclosure of personal data to another individual, which is a violation of the principles of personal data processing, enshrined in art. 5 para. (1) lit. d) and f) and par. (2) of the General Data Protection Regulation. & # 13;
At the same time, during the investigation, it was found that the operator did not adopt the necessary measures to comply with the request for deletion made, according to art. 17 of the General Data Protection Regulation. & # 13;
The following corrective measures were also applied to the operator: & # 13;
& # 13;
 to ensure the compliance with RGPD of the operations of collection and further processing of personal data, by implementing efficient methods to ensure the accuracy of data, including in the case of data collection, such as e-mail address, which allow remote communication of personal data. In this regard, it has been decided to put in place adequate and effective security measures, both from a technical point of view (such as: automated data collection, securing the transmission of documents and messages by encryption / password), and from a technical point of view. from an organizational point of view, through regular training of data controllers under the authority of the operator; & # 13;
 to ensure compliance with the RGPD in case of requests for deletion or rectification of personal data, by adopting appropriate technical and organizational measures to ensure the effective and correct implementation of these operations in the database (s) used by the operator and his authorized persons , as well as appropriate training of data controllers under their authority. & # 13;
& # 13;
In this context, it is noted that recital (65) of the General Data Protection Regulation stated that "The data subject should have the right to rectification of personal data concerning him / her and" the right to be forgotten "if that the storage of such data infringes this Regulation or Union law or the national law to which the operator belongs. (...) ”& # 13;
& # 13;
Legal and Communication Department & # 13;
A.N.S.P.D.C.P.