Home » Comunicat_presa_30_01_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

30.01.2025

Sanction for non-compliance with the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the controller RED&WHITE 2022 MANAGEMENT S.A. and found the breach of Article 28 paragraph (3) letter a) of Regulation (EU) 2016/679.

For the committed acts, the controller was fined in the amount of 24,854.50 lei (the equivalent of 5,000 euros).

The investigation at the sanctioned controller was started as a result of issues reported to the authority by it, respectively by a data processor, regarding a possible violation of the provisions of Regulation (EU) 2016/679 in the context of running a crowdfunding campaign (microfinancing from individuals).

During the investigation it was found that the controller, as the majority shareholder of a football team, sent an e-mail regarding the possibility of financing the team, by its supporters, to a database consisting of a very large number of e-mails of data subjects who had bought tickets to the team’s matches. The e-mail was sent through a data processor, and the database used contained personal data (name, surname, e-mail address) both of the club’s supporters (supporters) and of other natural persons.

In this context, the controller did not prove the preparation of documented instructions for its data processor, regarding the category of data subject (supporters) from the used database, to which the data processor sent the email about the financing campaign, elaborated and approved by the controller.

It should be highlighted that Regulation (EU) 2016/679 provides in Article 28 paragraph (3) that “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.(…)”

In addition, the previously mentioned provision regulates, among other thing, the fact that the said contract or legal act stipulates in particular that the data processor processes personal data only on the basis of “documented instruction from the controller”.

 

Legal and Communication Department

A.N.S.P.D.C.P