ANSPDCP (Romania) - 18.01.2023
|ANSPDCP - Press Communication 18/01/2023
|Article 17 GDPR
Article 58(2)(d) GDPR
Article 58(2)(i) GDPR
|National Case Number/Name:
|Press Communication 18/01/2023
|European Case Law Identifier:
|Romanian DPA (in RO)
The Romanian DPA fined a controller ca. €1000 for sending a data subject unsolicited commercial messages by SMS after the data subject had already requested the deletion of its data pursuant to Article 17 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
On an undetermined date, a data subject issued a complaint to the Romanian DPA against a controller operating in the electric household appliances industry. The data subject argued that the controller had violated their right to erasure (‘right to be forgotten’) pursuant to Article 17 GDPR.
The DPA decided to investigate the matter.
Holding[edit | edit source]
During its investigation, the Romanian DPA found that the controller had sent an SMS to the phone number of the data subject with commercial offers despite the fact that the data subject had previously requested the controller to delete all the data subject's personal data. The DPA came to the conclusion that the controller had not adopted all the necessary measures in order to comply with the data subject's request which resulted in the continuation of illegal data processing through the communication of unsolicited commercial messages.
Consequently, pursuant to its powers under Article 58(2)(d) GDPR, the DPA ordered the controller to take technical and organizational measures to ensure that it would effectively respond to data subject's requests to exercise their rights. Moreover, pursuant to Article 58(2)(i) GDPR the DPA fined the controller 4,918.6 lei (ca. €1000).
Comment[edit | edit source]
Unfortunately, this summary is based on a press release of the Romanian DPA as the DPA does not publish its full decisions.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
18.01.2023 Penalty for GDPR violation In December 2022, the National Supervisory Authority completed an investigation at the operator Dante International SA and found a violation of the provisions of art. 17 of Regulation (EU) 2016/679. As such, the operator was penalized for contravention with a fine of 4,918.6 lei (equivalent to 1000 EURO). The investigation was started as a result of a notification sent by a concerned person, complaining that the operator Dante International SA, the owner of emag.ro, violated the right to delete personal data. During the investigation carried out, it was found that the operator sent an SMS to the phone number of the person in question informing him about the company's commercial offers, although he had previously requested the deletion of the account and irrelevant data. The National Supervisory Authority found that the operator Dante International SA did not adopt all the necessary measures to comply with the data subject's request to delete his personal data, so that he continued to process his data by sending unsolicited commercial messages. At the same time, as part of the investigation, the operator was also given the corrective measure to take technical and organizational measures in order to ensure that it effectively responds to requests that exercise the rights of the data subjects provided for by Regulation (EU) 2016/679, including regarding the right to erasure. Legal and Communication Department A.N.S.P.D.C.P.