ANSPDCP (Romania) - 03.01.2023

From GDPRhub
ANSPDCP - Press Communication 03/01/2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 6 GDPR
Article 83(5)(a) GDPR
Article 83(5)(e) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 03.01.2023
Fine: 2,462.5 RON
Parties: n/a
National Case Number/Name: Press Communication 03/01/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: n/a

The Romanian DPA fined a controller €500 for publishing a data subject's name without a legal basis in Article 6 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject is a member of the controller's association. The data subject lodged a complaint at the Romanian DPA, stating that the controller breached the GDPR by publishing a payment list containing the first and last name of each member of the association. Moreover, the data subject also accused the controller of having published a defamatory document in which the data subject's name was mentioned.

The complaint prompted the DSA to launch an investigation into the controller's conduct. During the investigation, it was found that the Owners' Association disclosed the petitioner's personal data (name and surname) by displaying an information on the notice board, without his consent.

Holding[edit | edit source]

During the investigation, the DPA found that the controller disclosed the data subject's personal name on a notice board without a legal basis in Article 6 GDPR. Neither consent nor any other legal basis were applicable. Consequently, pursuant to the Articles 83(5)(a) and 83(5)(e), the DPA fined the controller 2,462.5 lei (the equivalent of €500). Additionally, the controller was ordered to implement corrective measures to ensure future compliance with the GDPR.

Comment[edit | edit source]

Unfortunately, at the time of writing, the Romanian DPA refrained from publishing its full decision. The above summary is based on a press release.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

03.01.2023

Fine for GDPR violation



In November of this year, the National Supervisory Authority completed an investigation at an Owners' Association in Iași, to which it imposed a fine and a warning, as follows:

fine in the amount of 2,462.5 lei, the equivalent of 500 EURO, for violating the provisions of art. 83 para. (5) lit. e) from GDPR; warning for violating the provisions of art. 6 in conjunction with paragraph 83. (5) lit. a) from the GDPR.

The investigation was carried out as a result of a complaint claiming that the operator displayed the payment lists containing the first and last name of each member of the Owners Association. The petitioner also complained about the display of a defamatory document in which his personal data (name and surname) were mentioned.

During the investigation, it was found that the Owners' Association disclosed the petitioner's personal data (name and surname) by displaying a notice on the notice board, without his consent and without the existence of another situation where consent is not necessary.

The operator was also given the corrective measure to take the necessary measures in order to ensure the compliance of the processing operations with the provisions of the RGPD and to avoid the processing (including the disclosure) of personal data without the consent of the data subjects and without the existence of another situation in which the consent it is not necessary.



Legal and Communication Department

A.N.S.P.D.C.P.