ANSPDCP (Romania) - Fine for sending unsolicited message to an e-mail address

From GDPRhub
Revision as of 07:06, 4 October 2023 by Aa (talk | contribs)
ANSPDCP - Not available
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 14(2)(f) GDPR
Article 17(1)(c) GDPR
Article 21(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 2000 EUR
Parties: n/a
National Case Number/Name: Not available
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: Silvia Axinescu

A market research company was sanctioned with a fine of 9898 lei (equivalent to EUR 2000) for sending unsolicited message to an e-mail address collected indirectly from public sources for the purpose to take part in a market research. The DPA found a violation of the provisions of Article 14 (2) (f), Article 17 (1) (c) and Article (1) GDPR.

English Summary

Facts

ISRA Center Marketing Research SRL, a market research company had collected personal data of an individual consisting in name, surname, e-mail address and place of work, indirectly, from publicly available sources. The personal data of the subject were collected by the company for the purpose to ask the individual to take part in a market research, this being the core business of the controller.

Holding

Following the submission by the data subject of a complaint specifying that the controller sent unsolicited messages to her e-mail address, the DPA assessed that the personal data were collected, indirectly from the individual, respectively from publicly available sources. Also, during the investigation, the DPA assessed that the controller failed to comply with the obligation to provide clear and complete information to the data subject, such as source of data collection.

Comment

Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release. Interestingly, this is one of the first fines imposed by the DPA as of the entering into force of the GDPR on the breach of the obligation to inform the data subject when personal are collected indirectly, from publicly available sources.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details. 

07.09.2023

Penalty for GDPR violation



The National Supervisory Authority for the Processing of Personal Data completed, in August 2023, an investigation at the operator ISRA Center Marketing Research SRL and found a violation of the provisions of art. 14 para. (2) lit. f), art. 17 para. (1) lit. c) and art. 21 para. (1) of Regulation (EU) 2016/679.

The operator was fined two fines totaling 9,898 lei, the equivalent of 2,000 EURO.

The investigation was started as a result of a complaint submitted by a natural person who complained that the operator was sending unsolicited messages to his e-mail address.

During the investigation carried out, the National Supervisory Authority for the Processing of Personal Data found that ISRA Center Marketing Research SRL collected the personal data of the person concerned (for example, name, surname, e-mail address, place of work) in a way indirectly, from public sources, in view of a proposal to participate in a market research.

Thus, during the investigation, it emerged that the operator did not present evidence from which it could be concluded that he provided clear and complete information to the person whose personal data he collected from public sources, omitting to communicate all the information provided by art. 14 of Regulation (EU) 2016/679, such as the data collection source (art. 14 para. (2) letter f)). It was also found that the source of data collection was not clearly presented even in the information available on the operator's website.

At the same time, during the investigation, it turned out that ISRA Center Marketing Research SRL did not take the necessary measures to comply with the request to exercise the right to oppose data processing. Thus, the operator continued to process the petitioner's data by sending a new message, thus violating the provisions of art. 17 para. (1) lit. c) and of art. 21 para. (1) of Regulation (EU) 2016/679.

At the same time, in accordance with the provisions of art. 58 para. (2) lit. d) from Regulation (EU) 2016/679, the following corrective measures were also applied to the operator:

to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, by ensuring clear and complete information of the data subjects, both on its own website and in other documents communicated directly to the data subjects , by providing all the information provided by art. 13 and 14, as the case may be, and in compliance with the transparency conditions provided by art. 12 of the same Regulation;

to analyze the legality of the processing of personal data previously collected from sources other than directly from the data subjects and to remove from the record system, if applicable, the personal data whose processing was not carried out in compliance with all the provisions of Regulation (EU) 2016/679 .

We note that the operator has paid the value of the imposed sanctions.



A.N.S.P.D.C.P.
Retrieved from "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_for_sending_unsolicited_message_to_an_e-mail_address&oldid=35172"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki