ANSPDCP (Romania) - Fine against a natural person: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP (Romania) |DPA_With_Country=ANSPDCP (Romania) |Ca...")
 
 
(10 intermediate revisions by 2 users not shown)
Line 7: Line 7:
|DPA_With_Country=ANSPDCP (Romania)
|DPA_With_Country=ANSPDCP (Romania)


|Case_Number_Name=Fine against a natural person  
|Case_Number_Name=Fine against a natural person
|ECLI=
|ECLI=


|Original_Source_Name_1=ANSPDCP
|Original_Source_Name_1=ANSPDCP
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_14_/_05_/_2021&lang=ro
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_30_07_2021&lang=ro
|Original_Source_Language_1=Romanian
|Original_Source_Language_1=Romanian
|Original_Source_Language__Code_1=RO
|Original_Source_Language__Code_1=RO
Line 18: Line 18:
|Outcome=Violation Found
|Outcome=Violation Found
|Date_Decided=
|Date_Decided=
|Date_Published=14.05.2021
|Date_Published=30.07.2021
|Year=2021
|Year=2021
|Fine=974
|Fine=200
|Currency=RON
|Currency=EUR


|GDPR_Article_1=Article 5(1)(b) GDPR
|GDPR_Article_1=Article 5(1)(b) GDPR
Line 31: Line 31:
|GDPR_Article_4=Article 6(1) GDPR
|GDPR_Article_4=Article 6(1) GDPR
|GDPR_Article_Link_4=Article 6 GDPR#1
|GDPR_Article_Link_4=Article 6 GDPR#1
|GDPR_Article_5=Article 13(1) GDPR
|GDPR_Article_5=Article 14(1) GDPR
|GDPR_Article_Link_5=Article 13 GDPR#1
|GDPR_Article_Link_5=Article 14 GDPR#1
|GDPR_Article_6=Article 13(2) GDPR
|GDPR_Article_6=Article 14(2) GDPR
|GDPR_Article_Link_6=Article 13 GDPR#2
|GDPR_Article_Link_6=Article 14 GDPR#2
|GDPR_Article_7=Article 13(3) GDPR
|GDPR_Article_7=Article 14(3) GDPR
|GDPR_Article_Link_7=Article 13 GDPR#3
|GDPR_Article_Link_7=Article 14 GDPR#3
|GDPR_Article_8=Article 32(2) GDPR
|GDPR_Article_8=Article 14(4) GDPR
|GDPR_Article_Link_8=Article 32 GDPR#2
|GDPR_Article_Link_8=Article 14 GDPR#4






|Party_Name_1=A natural person, owner of a website
|Party_Name_1=
|Party_Link_1=https://declaratieppr.ro/
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
|Party_Link_2=
|Party_Link_2=
Line 62: Line 62:
}}
}}


The Romanian DPA fined a natural person, owner of a website, RON 974.89 (approximately EUR 200), due to the fact that it did not inform data subjects about the processing activities performed and it did not take adequate security measures regarding the risks of processing.  
The Romanian DPA fined a natural person approximately €200 (RON 985.5) for disclosing copies of a pay slip and a kindergarten register containing personal data on their personal Facebook page and via flyers they distributed, in in violation of Articles 5, 6 and 14 GDPR.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The owner of a website (a natural person) provided its users with personalised forms needed in order to leave the house during the coronavirus lockdown. To complete the forms, the controller needed certain personal data of the users, including their name, parent's name, address, personal number and signature.  
Copies of a data subject's pay slips (including name, surname, CNP, place of employment, position, and salary), and the registration records of a kindergarten including the personal data of a minor (name and surname) were shared by a natural person on their personal Facebook profile as well as distributed through flyers.  
=== Holding ===
Following several complaints, the DPA started an investigation and decided that the natural person was a controller unlawfully processing personal data, including a child's data, in breach of Articles 5, 6 and 14 of the GDPR.
 
In particular, the controller had not presented evidence that it had legally processed the personal data in the payslip thus violating Article 5(1)(a) and (b), Article 5(2) GDPR and Article 6(1) GDPR. 
 
Moreover, the controller had not presented evidence to show he had provided information to the data subject about the processing of personal data contained in the registration records, thus violating Article 14(1)-(4) GDPR.  


=== Dispute ===
The natural person was fined:
However, the controller did not prove the lawful processing of the respective data.


=== Holding ===
* approximately €100 for violating Article 5(1)(a) and (b), Article 5(2), and Article 6(1) GDPR;
The DPA held that the controller did not inform the data subjects regarding the processing performed on its website and did not take adequate security measures in order to prevent possible risks.  
* approximately €100 for violating Article 14(1)-(4) GDPR.


== Comment ==
== Comment ==
Line 85: Line 90:


<pre>
<pre>
The National Authority completed an investigation of a natural person and found a violation of the provisions of art. 5 para. (1) lit. a) and b) and par. (2), referred to in art. 6 para. (1), as well as the provisions of art. 13 para. (1) - (3) and art. 32 para. (2) of the General Data Protection Regulation.
The National Supervisory Authority completed an investigation of a natural person and found the commission of two contraventions by violating the provisions of art. 5 para. (1) lit. a) and b) and par. (2), referred to in art. 6 para. (1), as well as the provisions of art. 14 para. (1) - (4) of the General Data Protection Regulation.
 
As such, the natural person, as a controller, was sanctioned:
 
- with a fine, in the amount of 492.75 lei (equivalent to 100 EURO) for violating art. 5 para. (1) lit. a) and b) and par. (2) of the GDPR and of art. 6 para. (1) of the GDPR;


The natural person, acting as a controller, was sanctioned with a fine of a total amount of RON 974.89 (equivalent to the amount of EUR 200).
- with a fine, in the amount of 492.75 lei (equivalent to 100 EURO) for violating art. 14 para. (1) - (4) of the GDPR.


The investigation started after several complaints that through the website https://declaratieppr.ro, by filling in a form that generates a statement necessary to leave the house during the lockdown were processed certain personal data, namely name, surname, parents' first name, domicile, personal number, series and number of the identity card, factual address, place of travel, the purpose of travel and signature.
The investigation was initiated following the receipt of several complaints.


During the investigation, the National  Authority found that the controller did not present evidence showing that he had legally processed personal data, collected and stored on the website https://declaratieppr.ro.
Thus, the controller was complained about the fact that, by distributing some materials within the households in the commune and by posting on his personal Facebook account, he revealed personal data, on the one hand, of an individual by broadcasting a photo of the payslip that belonged to her and, on the other hand, revealed personal data of the minor son of another data subject, contained in a photograph of a file from the Register of children enrolled in the Kindergarten with Normal Program in that commune.


At the same time, it was found that it did not present evidence that it provided information to data subjects in connection with the processing of their personal data, collected on the same website.
As a result of the investigation, the National Supervisory Authority found that the controller did not present evidence to show that he had legally processed the personal data contained in the payslip of the data subject (name, surname, CNP, place of employment). work, position, salary), thus violating the principles of personal data processing provided in art. 5 para. (1) lit. a) and b) and par. (2) of the GDPR and the provisions of art. 6 para. (1) of the GDPR.


Also, the controller (natural person) has not taken adequate security measures to ensure that the file containing the personal data of the data subjects is not subject to processing risks, in particular, accidentally or illegally generating destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.
At the same time, the controller did not present evidence showing that he provided information to the data subjects about the processing of personal data contained in the tab photographed in the Register of children enrolled in Kindergarten with Normal Program (name and surname of the minor son of the data subject), thus violating the provisions of art. 14 para. (1) - (4) of the GDPR.
</pre>
</pre>

Latest revision as of 13:56, 4 August 2021

ANSPDCP (Romania) - Fine against a natural person
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 14(1) GDPR
Article 14(2) GDPR
Article 14(3) GDPR
Article 14(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 30.07.2021
Fine: 200 EUR
Parties: n/a
National Case Number/Name: Fine against a natural person
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a natural person approximately €200 (RON 985.5) for disclosing copies of a pay slip and a kindergarten register containing personal data on their personal Facebook page and via flyers they distributed, in in violation of Articles 5, 6 and 14 GDPR.

English Summary

Facts

Copies of a data subject's pay slips (including name, surname, CNP, place of employment, position, and salary), and the registration records of a kindergarten including the personal data of a minor (name and surname) were shared by a natural person on their personal Facebook profile as well as distributed through flyers.

Holding

Following several complaints, the DPA started an investigation and decided that the natural person was a controller unlawfully processing personal data, including a child's data, in breach of Articles 5, 6 and 14 of the GDPR.

In particular, the controller had not presented evidence that it had legally processed the personal data in the payslip thus violating Article 5(1)(a) and (b), Article 5(2) GDPR and Article 6(1) GDPR.

Moreover, the controller had not presented evidence to show he had provided information to the data subject about the processing of personal data contained in the registration records, thus violating Article 14(1)-(4) GDPR.

The natural person was fined:

  • approximately €100 for violating Article 5(1)(a) and (b), Article 5(2), and Article 6(1) GDPR;
  • approximately €100 for violating Article 14(1)-(4) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National Supervisory Authority completed an investigation of a natural person and found the commission of two contraventions by violating the provisions of art. 5 para. (1) lit. a) and b) and par. (2), referred to in art. 6 para. (1), as well as the provisions of art. 14 para. (1) - (4) of the General Data Protection Regulation.

As such, the natural person, as a controller, was sanctioned:

- with a fine, in the amount of 492.75 lei (equivalent to 100 EURO) for violating art. 5 para. (1) lit. a) and b) and par. (2) of the GDPR and of art. 6 para. (1) of the GDPR;

- with a fine, in the amount of 492.75 lei (equivalent to 100 EURO) for violating art. 14 para. (1) - (4) of the GDPR.

The investigation was initiated following the receipt of several complaints.

Thus, the controller was complained about the fact that, by distributing some materials within the households in the commune and by posting on his personal Facebook account, he revealed personal data, on the one hand, of an individual by broadcasting a photo of the payslip that belonged to her and, on the other hand, revealed personal data of the minor son of another data subject, contained in a photograph of a file from the Register of children enrolled in the Kindergarten with Normal Program in that commune.

As a result of the investigation, the National Supervisory Authority found that the controller did not present evidence to show that he had legally processed the personal data contained in the payslip of the data subject (name, surname, CNP, place of employment). work, position, salary), thus violating the principles of personal data processing provided in art. 5 para. (1) lit. a) and b) and par. (2) of the GDPR and the provisions of art. 6 para. (1) of the GDPR.

At the same time, the controller did not present evidence showing that he provided information to the data subjects about the processing of personal data contained in the tab photographed in the Register of children enrolled in Kindergarten with Normal Program (name and surname of the minor son of the data subject), thus violating the provisions of art. 14 para. (1) - (4) of the GDPR.