ANSPDCP (Romania) - National Consumer Protection Authority (ANPC)
| ANSPDCP - National Consumer Protection Authority (ANPC) | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | National Consumer Protection Authority (ANPC) |
| National Case Number/Name: | National Consumer Protection Authority (ANPC) |
| European Case Law Identifier: | n/a |
| Appeal: | Appealed - Confirmed |
| Original Language(s): | Romanian |
| Original Source: | Romanian DPA (in RO) |
| Initial Contributor: | Silvia Axinescu |
The Romanian DPA adopted corrective measures against the Romenian National Consumer Protection Authority for having used WhatsApp as an official channel of communication with consumers without putting into place technical and organisational measures pursuant to Article 32 GDPR.
English Summary
Facts
The National Consumer Protection Authority (ANPC) - the controller - decided to provide a dedicated mobile phone number for the sending of consumer complaints through WhatsApp messages. In the context of several petitions and notifications through this channel, the controller collected numerous personal data. After considering several complaints with regard to this practice, as well as the news published in various media outlets, the Romanian DPA initiated an investigation on the use of WhatsApp by the ANPC.
Holding
As a result of the investigation, the DPA found that the ANPC collected personal data through WhatsApp, which was not in under its control, without taking into account the potential risks for data subjects. Also, the DPA stressed that ANPC had already other available channels for lodging petitions and complaints, such as a registered email account or a form on the institutional website.
Thus, the DPA found that the ANPC violated Article 32(2) GDPR and imposed a warning, as well as corrective measures to process personal data only by using means under ANPC control. These measures also included implementation of appropriate technical and organizational measures to guarantee and be able to demonstrate that processing is carried out in accordance with the provisions of the GDPR.
Comment
The ANPC challenged the decision of the DPA and the court rejected the appeal as unfounded.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
10.07.2023 Court decision - ANPC - WhatsApp In the litigation currently pending, the court of first instance (Bucharest Municipal Court) upheld the minutes of the National Authority for the Supervision of Personal Data Processing through which it was established that ANPC collected numerous personal data from notifications and complaints received, by using the "WhatsApp" application, which is not under its control, without taking into account the risks involved, thus violating the provisions of art. 32 para. (2) of the GDPR. Thus, for the fact found in 2022, the National Supervisory Authority for the Processing of Personal Data ordered the sanction with a warning, based on Law no. 190/2018, accompanied by the corrective measure to process personal data only by using personal data processing means that are under its control, including by implementing appropriate technical and organizational measures to guarantee and be able to demonstrate that the processing is carried out in accordance with the provisions of the GDPR. The investigation was started as a result of some reports complaining that ANPC decided to allocate mobile phone numbers, in order to receive reports, although ANPC had other means of sending petitions (email, online, website, mail). This information was also found in the press releases posted by the ANPC website. Regarding the findings of the National Supervisory Authority for the Processing of Personal Data, contained in the control report, the court of first instance rejected the appeal filed by ANPC as unfounded. In this context, with regard to ensuring the compliance of processing operations with GDPR rules by WhatsApp Ireland - this company was subjected to the investigation of the Data Protection Authority of Ireland, finding a violation of the principle of transparency enshrined in Article 5 para. (1) lit. a) of the GDPR and, implicitly, of the right to information of data subjects located on the territory of several member states, establishing a significant fine of 225 million Euros. Regarding the aspects presented above, the National Supervisory Authority for the Processing of Personal Data draws attention to the fact that, in the context of processing personal data, using the messaging application "WhatsApp" as means of processing, related to the principle of operator responsibility, processing in this way may affect the right to privacy and data protection of natural persons, by referring to the processing principles established by Regulation (EU) 2016/679 (GDPR).
