ANSPDCP (Romania) - Fine for sending unsolicited message to an e-mail address

From GDPRhub
ANSPDCP - Not available
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 14(2)(f) GDPR
Article 17(1)(c) GDPR
Article 21(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 2000 EUR
Parties: n/a
National Case Number/Name: Not available
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: Silvia Axinescu

A market research company was fined 9898 RON (equivalent to €2000) for sending unsolicited message to an e-mail address collected indirectly from public sources for the purpose of market research. The DPA found violations of Articles 14(2)(f), 17(1)(c) and 21(1) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The Romanian DPA initiated an investigation following a complaint from a data subject who complained that unsolicited messages had been sent to her e-mail address. The data subject had responded to the emails, objecting to the processing of her data. However, she continued to receive the unsolicited messages.

In the course of the investigation, the Romanian DPA found that a market research company, ISRA Marketing Research Centre SRL, had collected the data subject's personal data (e.g. name, surname, e-mail address, place of work) indirectly from public sources for the purpose of conducting market research.

Holding[edit | edit source]

The Romanian DPA found a violation of Articles 14(2)(f), 17(1)(c) and 21(1) GDPR, on the following grounds.

Firstly, the DPA found a violation of Article 14(2)(f) GDPR, as the controller did not inform the data subject that they had collected their personal data from public sources. The DPA assessed that the controller had failed to comply with the obligation to provide clear and complete information to the data subject.

Secondly the DPA found that the controller did not facilitate the data subject's right to object, as the controller continued to send emails to the data subject following her objection, violating Article 17(1)(c) GDPR and Article 21(1) GDPR.

As a result, the DPA issued a fine of 9898 RON (equivalent to €2000).

Comment[edit | edit source]

Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release. Interestingly, this is one of the first fines imposed by the DPA as of the entering into force of the GDPR on the breach of the obligation to inform the data subject when personal are collected indirectly, from publicly available sources.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

07.09.2023

Penalty for GDPR violation



The National Supervisory Authority for the Processing of Personal Data completed, in August 2023, an investigation at the operator ISRA Center Marketing Research SRL and found a violation of the provisions of art. 14 para. (2) lit. f), art. 17 para. (1) lit. c) and art. 21 para. (1) of Regulation (EU) 2016/679.

The operator was fined two fines totaling 9,898 lei, the equivalent of 2,000 EURO.

The investigation was started as a result of a complaint submitted by a natural person who complained that the operator was sending unsolicited messages to his e-mail address.

During the investigation carried out, the National Supervisory Authority for the Processing of Personal Data found that ISRA Center Marketing Research SRL collected the personal data of the person concerned (for example, name, surname, e-mail address, place of work) in a way indirectly, from public sources, in view of a proposal to participate in a market research.

Thus, during the investigation, it emerged that the operator did not present evidence from which it could be concluded that he provided clear and complete information to the person whose personal data he collected from public sources, omitting to communicate all the information provided by art. 14 of Regulation (EU) 2016/679, such as the data collection source (art. 14 para. (2) letter f)). It was also found that the source of data collection was not clearly presented even in the information available on the operator's website.

At the same time, during the investigation, it turned out that ISRA Center Marketing Research SRL did not take the necessary measures to comply with the request to exercise the right to oppose data processing. Thus, the operator continued to process the petitioner's data by sending a new message, thus violating the provisions of art. 17 para. (1) lit. c) and of art. 21 para. (1) of Regulation (EU) 2016/679.

At the same time, in accordance with the provisions of art. 58 para. (2) lit. d) from Regulation (EU) 2016/679, the following corrective measures were also applied to the operator:

to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, by ensuring clear and complete information of the data subjects, both on its own website and in other documents communicated directly to the data subjects , by providing all the information provided by art. 13 and 14, as the case may be, and in compliance with the transparency conditions provided by art. 12 of the same Regulation;

to analyze the legality of the processing of personal data previously collected from sources other than directly from the data subjects and to remove from the record system, if applicable, the personal data whose processing was not carried out in compliance with all the provisions of Regulation (EU) 2016/679 .

We note that the operator has paid the value of the imposed sanctions.



A.N.S.P.D.C.P.