ANSPDCP (Romania) - Fine against Telekom Romania Communications SA 3

From GDPRhub
ANSPDCP (Romania) - Fine against Telekom Romania Communications SA 3
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 6 GDPR
Article 21 GDPR
Type: Investigation
Outcome: Violation Found
Decided:
Published: 13.05.2021
Fine: 9851.40 RON
Parties: Telekom Romania Communications SA
National Case Number/Name: Fine against Telekom Romania Communications SA 3
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA warned Telekom Romania for processing personal data for marketing purposes without a legal basis, and fined it approximately €2,000 (RON 9,851.40) for continuing to contact a data subject after they had exercised their right to object.

English Summary[edit | edit source]

Facts[edit | edit source]

When terminating the contract with Telekom, a previous customer withdrew their consent for data processing. After this, they were contacted again by Telekom for marketing purposes and the complainant exercised their rights to opposition and erasure. Despite this, complainant was further contacted by the controller for marketing purposes.

Dispute[edit | edit source]

The controller processed personal data even after the data subject withdrew his/her consent, objected to the processing and made an erasure request.

Holding[edit | edit source]

The DPA warned Telekom for the processing performed without legal ground, breaching Article 6 GDPR, and fined it approximately €2,000 (RON 9,851.40) for contacting a data subject subsequent to his/her opposition request, breaching Article 21 GDPR.

Comment[edit | edit source]

This is the 4th fine against Telekom Romania for breaching GDPR. Apparently, the amount of the fines imposed so far did not have the desired effect on the data controller and allowed subsequent violations.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National Authority completed on 23.04.2021 an investigation against the controller Telekom Romania Communications SA and found a violation of the provisions of art. 6 and art. 21 of the General Data Protection Regulation.

The controller Telekom Romania Communications SA was sanctioned with a warning for violating the provisions of art. 6 of Regulation (EU) 679/2016 and with a fine of 9,851.40 RON (equivalent to the amount of 2000 EURO) for violating art. 21 of the same Regulation.

The sanctions were applied following a complaint alleging that the petitioner had been contacted on his telephone number for marketing purposes by a Telekom representative, although he had withdrawn his consent to the use of his personal data upon termination of the contractual relationship with the controller.

Subsequently, the petitioner exercised his right to object to the processing of his personal data for marketing and advertising purposes by requesting the controller to delete his telephone number and e-mail address from Telekom's database.

However, the petitioner was again contacted by a Telekom representative for marketing purposes. Thus, the petitioner sent the controller a new request not to be contacted and to have his telephone number and e-mail address deleted from the database.

Following this request, the controller informed the applicant that his e-mail address and telephone number had been deleted from the customer management system, confirming, at the same time, that he had been called by a Telekom representative, who, due to a human error, he did not realize that he did not have the petitioner's permission to call him.

During the investigation, the National Authority found that Telekom Romania Communications SA processed the personal data of the petitioner for marketing purposes without having a legal basis, thus violating the provisions of art. 6 of the RGPD.

Also, the controller contacted the petitioner by phone, although he had exercised his right of opposition, thus violating the provisions of art. 21 of the RGPD.

In this context, we recall that Chapter III of Regulation (EU) 2016/679 regulates the rights of the data subject: the right to information, the right of access, the right to rectification, the right to erasure ("right to be forgotten"), restriction of processing, right to data portability, right to object, right not to be subject to a decision based solely on automatic processing, right to lodge a complaint with a supervisory authority.