ANSPDCP (Romania) - SC Travel Planner SRL
| ANSPDCP - SC Travel Planner SRL | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 12(3) GDPR Article 12(4) GDPR Article 32 GDPR Article 33 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 25.04.2025 |
| Fine: | 29,886 RON |
| Parties: | SC Travel Planner SRL |
| National Case Number/Name: | SC Travel Planner SRL |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | cci |
The DPA fined a travel operator RON 29,886 (€6,000) for publishing the personal data of some of its customers on its Facebook page.
English Summary
Facts
Travel operation SC Travel Planner SRL (the controller) organized a raffle for rewarding its customers. In order to do so, it published personal information of customers on its Facebook page, including their names, the hotel they reserved, and the period of their stay. Some of the customers forwarded access requests and filed complaints with the DPA over the publication of their data.
Holding
The DPA held that the publication of customers' personal data on the controller's page, constituted a data breach. For this reason, the DPA held that the controller failed to process personal data securely and failed to report the breach. Furthermore, the DPA found that the controller failed to respond to the access requests from its customers.
The DPA fined the controller a total of RON 29,886 (€6,000): RON 24,886 (€ 5,000) for breaching Article 32 GDPR, and RON 4,972 (€ 1,000) for breaching Article 33. The DPA also ordered the controller to implement more robust security measures as well as measures to detect, manage and report data breaches. Finally, the DPA ordered the controller to respond to the access requests it received from its customers.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
25.04.2025 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed, in April 2025, an investigation at the operator SC Travel Planner SRL and found a violation of the provisions of art. 32 and art. 33 and art. 15 in relation to art. 12 para. (3) and (4) of Regulation (EU) 2016/679. As such, the operator was sanctioned for a minor offence: with a fine of 24,886 lei (equivalent to 5,000 EURO), for violating art. 32 of Regulation (EU) 2016/679; with a fine of 4,977.20 lei (equivalent to 1,000 EURO), for violating art. 33 of Regulation (EU) 2016/679; with a warning for the violation of Article 15 of Regulation (EU) 2016/679, in relation to the provisions of Article 12(3) and (4) of Regulation (EU) 2016/679. The investigation was initiated following complaints that reported a possible unlawful processing of personal data. The investigation revealed that the operator, in order to organize a raffle to reward its customers, published, on its Facebook page, a table containing personal data of tourists, such as: surname, first name, reservation identification numbers, hotel or location where they made the reservation and the period of stay. Thus, the operator did not adopt sufficient technical and organizational security measures. This situation led to the unauthorized disclosure of data of the data subjects, in violation of the provisions of Art. 32 of Regulation (EU) 2016/679. Consequently, the operator was fined 5,000 Euros. It was also found that the operator did not notify this data security breach, which contravenes the provisions of art. 33 of Regulation (EU) 2016/679, and thus the penalty of a fine of 1,000 Euros was applied. At the same time, during the investigation, it emerged that no evidence was presented regarding the communication to the petitioners of a complete response to their request by which they exercised their right of access, thus violating the provisions of art. 15, in relation to the provisions of art. 12 para. (3) and (4) of Regulation (EU) 2016/679. The operator was sanctioned for this act with a warning. At the same time, the following corrective measures were also ordered towards the operator: to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, by implementing technical and organizational security measures appropriate to the specific nature of the processing and the risks identified, throughout the data processing cycle, training of persons who process data under the authority of the operator, regular verification of compliance with the instructions sent to them; to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, by adopting internal measures necessary for the rapid detection, management and reporting of personal data security breaches, regardless of whether or not they require notification of the supervisory authority and/or the data subjects, as well as appropriate and regular training of persons who process data under the authority of the operator, in this context; to communicate to the petitioners a response to the request to exercise the right of access. Legal and Communication Department A.N.S.P.D.C.P.
