ANSPDCP - BNP Paribas Personal Finance SA

From GDPRhub
ANSPDCP - BNP Paribas Personal Finance S.A.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law:
Article 13(1)(q) Law No 506/2004
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 18.03.2021
Fine: 10000 RON
Parties: BNP Paribas Personal Finance SA Paris Bucharest Branch
National Case Number/Name: BNP Paribas Personal Finance S.A.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPCDP (in RO)
Initial Contributor: Andrada Mocanu

The Romanian DPA (ANSPDCP) fined BNP Paribas Personal Finance S.A. Paris 10,000 RON for violating Article 13(1)(q) of the Law No 506/2004 by sending commercial SMS messages without the prior consent of the recipient.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a complaint regarding the fact that he received a commercial SMS message from BNP Paribas Personal Finance S.A. Paris Bucharest Branch.

The Romanian DPA investigated the case and found that the operator did not prove the existence of the prior consent of the person concerned, according to Article 12 of Law no. 506/2004, although the petitioner had previously exercised, repeatedly, the right to oppose to the processing of their data for marketing purposes.

Dispute[edit | edit source]

Holding[edit | edit source]

The Romanian DPA held that a company should have the recipient's prior consent before sending commercial SMS messages.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

A.N.S.P.D.C.P completed in February 2021 an investigation regarding the operator BNP Paribas Personal Finance SA Paris Bucharest Branch and found that the act of “non-compliance with the provisions of Article 12 regarding the unsolicited communications”, provided by Article 13(1)(q) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector.

As a consequence, the operator BNP Paribas Personal Finance SA Paris Bucharest Branch was sanctioned with a fine of 10000 RON.

The investigation was initiated following a complaint sent by the data subject regarding the fact that he received a commercial SMS message from BNP Paribas Personal Finance S.A. Paris Bucharest Branch.

Following the investigation, it was found that the operator did not prove the existence of the prior consent of the person concerned, according to Article 12 of Law no. 506/2004, although the petitioner had previously exercised, repeatedly, the right to oppose to the processing of their data for marketing purposes.

The provisions of Article 12 of Law no. 506/2004 provides as follows: 

"(1) Commercial communications shall be prohibited by the use of automated call and communication systems which do not require the intervention of a human operator, by fax or e-mail or by any other method using electronic communications services intended for the public, unless in which the subscriber or user concerned has previously given his express consent to receive such communications.

(2) Notwithstanding to the provisions of paragraph (1), if a natural or legal person directly obtains the e-mail address of a customer, on the occasion of purchasing a product or service, in accordance with the provisions of Law no. 677/2001, the natural or legal person concerned may use that address for the purpose of making commercial communications concerning similar products or services which that person markets, provided that he clearly and expressly offers customers the opportunity to object by a simple and free means, both when obtaining the e-mail address and on the occasion of each message, if the customer did not initially object.

(3) In all cases, it is forbidden to make commercial communications by e-mail in which the real identity of the person in whose name and on whose behalf they are made is hidden, in violation of Article 5 of Law no. 365/2002 or in which a valid address is not specified to which the recipient can send his request regarding the cessation of such communications or in which the recipients are encouraged to visit internet pages that contravene Article 5 of Law no. 365/2002.

(4) The provisions of Paragraphs 1 and 3 shall apply accordingly to legal persons."

Also, Article 5(2) of Law no. 129/2018 stipulates that “All references to Law no. 677/2001, with the subsequent amendments and completions of the normative acts are interpreted as references to the GDPR and to the legislation that implements it.”



Legal and communication department

A.N.S.P.D.C.P.