Home » Comunicat_Presa_24_04_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

24.04.2025

Sanction for infringing the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in April 2025, an investigation at the controller Dante International SA and found the breach of Article 32 paragraph (1), in relation to Articles 17 and 19 of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine in the amount of 49,770 lei (the equivalent of 10,000 euros).

The investigation was initiated following a complaint alleging a possible violation of the provisions of Regulation (EU) 2016/679.

Thus, a customer complained that the controller had processed his personal data, namely e-mail addresses associated with the customer account created within the online platform owned by the controller, without his consent.

During the investigation, it was found that, although the controller confirmed to the petitioner through several responses that the e-mail addresses associated with his customer account had been deleted following his requests, the petitioner continued to receive an opinion/evaluative opinion (“feedback”) message on the respective addresses.

At the same time, it was found that certain collaborators of the controller had the possibility to view/use the petitioner’s e-mail address.

It was also found that the controller did not properly handle the requests sent by the petitioner repeatedly to delete the e-mail addresses and did not provide in the responses sent to the petitioner, clear information in a transparent and intelligible manner regarding the continued use of the respective e-mail addresses.

As such, it was established that the provisions of Article 12 paragraph. (1) were violated by reporting to the provisions of Article 17 and Article 19 of Regulation (EU) 2016/679.

At the same time, the following corrective measures were ordered against the controller:

  • to send a written response to the requests of the petitioner, according to Article 17 of the GDPR and which complies with the conditions of transparency, clarity and intelligibility provided for in Article 12 of the GDPR;
  • to ensure compliance of the personal data processing operations with the GDPR, by adopting the necessary technical and organizational measures, including in terms of appropriate training of the personnel designated for this purpose, so that the controller is able to correctly receive, assess, handle and respond to all requests by which the data subjects exercise their rights, within the deadlines and according to the conditions provided for in Articles 12-23 of the GDPR, including in terms of the conditions related to transparency, clarity and intelligibility of the information and communications that the controller sends to the data subjects following the exercise of their rights;
  • to ensure compliance of personal data processing operations with the GDPR, by adopting the necessary technical and organizational measures, including in terms of appropriate training of the personnel designated for this purpose, so that, in the event of acceptance of requests for deletion or rectification of personal data from accounts opened on its online platform, these operations become effective immediately (“without undue delay”) and are notified to the recipients, according to Article 16, Article 17 and Article 19 of the GDPR, also taking into account compliance with the principles set out in Article 5 of the GDPR, in particular, the provided for in Article 5 paragraph (1) letter d) of the GDPR.

 

Legal and Communication Department

A.N.S.P.D.C.P