ANSPDCP (Romania) - RED&WHITE 2022 MANAGEMENT S.A.
| ANSPDCP - RED&WHITE 2022 MANAGEMENT S.A. | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 28(3) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 30.01.2025 |
| Fine: | 24854.50 RON |
| Parties: | RED&WHITE 2022 MANAGEMENT S.A. |
| National Case Number/Name: | RED&WHITE 2022 MANAGEMENT S.A. |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO) |
| Initial Contributor: | elu |
The DPA imposed a fine of RON 24,854.50 (€5,000) after an email sent to the processor by the majority shareholder of a football team was forwarded to customers of the controller without proper authorisation.
English Summary
Facts
A representative of the controller notified the DPA that a possible violation of the GDPR may have occurred in the context of a crowdfunding campaign.
The DPA decided to start an investigation on the matter.
The investigation revealed that the controller, which was the majority shareholder of a football team, wrote an email regarding the financing the team via supporters’ donations. This email was sent to everybody who bought a ticket to the team games. The email was sent through the processor and the database used to contact these data subjects contained name, surname and email address of club and individual supporters.
Holding
Against this background, the controller did not provide the DPA with any document indicating that the controller gave the processor any instructions concerning the data subjects in the database used to find recipients of the email. The email send by the controller was designed and approved by the processor.
The DPA thus deemed it appropriate to impose a fine of RON 24854.50 (€5,000) on the processor for the violation of Article 28(3) GDPR.
The DPA also requires the processor to carry out the data processing only based on the “documented instructions from the controller”.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
30.01.2025 Sanction for non-compliance with the GDPR The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the operator RED&WHITE 2022 MANAGEMENT S.A. and found a violation of the provisions of art. 28 para. (3) let. a) of Regulation (EU) 2016/679. For the acts committed, the operator was fined 24854.50 lei (equivalent to 5000 euros). The investigation into the sanctioned operator was initiated following matters notified to the Authority by the operator, namely by an authorized person of the operator, regarding a possible violation of the provisions of Regulation (EU) 2016/679 in the context of a crowdfunding campaign (microfinancing by individuals). During the investigation, it was found that the operator, as a majority shareholder of a football team, sent an email regarding the possibility of financing the team by its supporters, to a database consisting of a very large number of emails of data subjects who had purchased tickets to the team's matches. The email was sent through an authorized person of the operator, and the database used contained personal data (surname, first name, email address) of both the club's supporters (supporters) and other individuals. In this context, the controller has not provided evidence of the development of documented instructions for its processor regarding the category (supporters) of data subjects in the database used, to whom the processor sent the email, designed and approved by the controller, about the funding campaign. It is worth highlighting that Regulation (EU) 2016/679 provides in art. 28 para. (3) that “Processing by a processor of a controller shall be governed by a contract or other legal act under Union or national law which is binding on the processor of the controller and which sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller. (...)”. In addition, the aforementioned article regulates, among other things, that the respective contract or legal act specifically provides that the person empowered by the operator processes personal data only on the basis of “documented instructions from the operator”. Legal and Communication Department A.N.S.P.D.C.P.
