Home » Comunicat_Presa_27_01_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

27.01.2025

Sanction for the breach of GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the controller Orange România S.A. and found the breach of Article 12 paragraphs (3) and (4), in conjunction with Article 17 of Regulation (EU) 2016/679, as well as of Article 5, Article 6 and Article 7 of Regulation (EU) 2016/679.

As such, the controller was sanctioned with two fines of total of 199,020 lei, the equivalent of 40,000 euros, as follows:

  1. fine of 99,510 lei (the equivalent of 20,000 euros), for the breach of Article 12 paragraphs (3) and (4), in conjunction with Article 17 of Regulation (EU) 2016/679;
  2. fine of 99,510 lei the equivalent of 20,000 euros), for the breach of Article 5, Article 6 and Article 7 of Regulation (EU) 2016/679.

The investigation was launched to check the manner in which the right to erasure is handled.

During the investigation it was found that, after the unsuccessful attempt to subscribe to the mobile phone services offered by the controller, the erasure of all personal data was requested. During the course of the correspondence, the controller requested more personal data and no complete and adequate replies were provided to the requests received.

Within the investigation, it turned out that Orange România S.A. did not properly manage the requests to erase personal data, thus violating the provisions of Article 12 paragraphs (3) and (4), in conjunction with Article 17 of Regulation (EU) 2016/679.

At the same time, it was found that controller collected and stored excessively also scanned copies of some documents, although the personal data were no longer necessary for the purpose of identification related to the conclusion of a subscription contract. As such, the provisions of Article 5, Article 6 and Article 7 of Regulation (EU) 2016/679 were infringed.

Furthermore, as part of the investigation, the following corrective measures were ordered to the controller:

  • to submit a complete reply to the request to erase his personal data, according to the applicable legal provisions;
  • to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, by adopting the necessary technical and organisational measures, including the appropriate training of personnel designated for this purpose, so that the controller is able to analyse, to correctly handle and to appropriately reply to the requests through which the data subjects are exercising their rights, within the terms and according to the conditions provided by Articles 12-23 of Regulation (EU) 2016/679, with a clear, transparent and accessible information of the data subjects with regard to the mechanisms for exercising the rights;
  • to remove from the database the personal data and the identity documents of the affected persons, collected during the failed procedure of subscribing to the services offered;
  • to ensure compliance of personal data processing operations with Regulation (EU) 2016/679, so that the controller clearly establishes the legal basis for the collection of personal data by referring to each purpose of the processing, within the steps that precede the conclusion of a subscription contract to its services, so that personal data and identity documents are not collected and subsequently stored excessively and illegally except in compliance with the applicable legislation, with the provision of clear, transparent and accessible information of the data subjects, pursuant to the provisions of Articles 5-7, respectively Article 12-14 of Regulation (EU) 2016/679. 

 

Legal and Communication Department

A.N.S.P.D.C.P