Home » NSAPDP imposed a fine to Hilmi Medical Center
 Română | English | Francais

The National Supervisory Authority for Personal Data Processing imposed a fine of 10.000 RON  to Hilmi Medical Center SRL as a personal data controller

 

The National Supervisory Authority for Personal Data Processing has applied a contraventional fine of 10.000 RON the personal data controller – Hilmi Medical Center SRL.

The investigation’s minutes indicate the following contraventions:

· Failure to notify and malevolent notification, more precisely the failure to submit the notification provide under Article 22 paragraph (1) and (3) and Article 29 paragraph (3) of Law no. 677/2001;

· Illegal processing of personal data, as a failure to observe the provisions of Article 12 of Law no. 677/2001 on the right of information;

· Failure to observe the provisions of Article 13 on unsolicited commercial communications, contravention which is provided for by Article 13 paragraph (1) letter. q) of Law no. 506/2004, as Hilmi Medical Center SRL has sent commercial communications via e-mail in order to offer promotional medical packages to their patients without their prior, explicit consent and without providing the patients with the possibility to oppose to receiving the promotional packages.

Therefore, for the issues noticed during the investigation the following sanctions were imposed:

1. Fine of 3000 RON, in accordance with Article 31 of Law no. 677/2001, correlated with the provisions of Article 5, Article 6 and Article 8 of Government’s Ordinance no. 2/2001;

2. Fine of 2000 RON, in accordance with Article 31 of Law no. 677/2001, correlated with the provisions of Article 5, Article 6 and Article 8 of Government’s Ordinance no. 2/2001;

3. Fine of 5000 RON, in accordance Article 13 paragraph (2) of Law no. 506/2004, correlated with the provisions of Article 5, Article 6 and Article 8 of Government’s Ordinance no. 2/2001.

Moreover, the supervisory authority made a series of recommendations to the data controller amongst which we would like to mention: submitting a notification for the purposes of “advertising and marketing” and, respectively, for the purpose of “monitoring/security of persons, public/private areas and goods”, within a deadline of 5 days from signing the investigation’s minute; information of the data subjects with regard to the purposes mentioned above; drafting a policy on the protection of the personal data processed, in accordance with the provisions of Order no. 52/2002; establishing a storage period for the collected data, strictly limited to the duration required in order to fulfil the processing’s purpose.

In order to correctly inform the general public, we would like to mention that in order to exercise the rights of access, intervention or opposition as granted by Law no. 677/2001, the data subject may contact the data controller directly (whether he/she is from the public or private sector), via a written, signed and dated request and the data controller is under the obligation to respond to such a request within 15 days. 

If, after the 15 days deadline has expired, no response was received or the request was not solved, the data subject may submit a complaint to the supervisory authority. The complaint must be accompanied by proof that the person in question has contacted the data controller. To this end, a model complaint form is available on our authority’s website Complaint templates.

 

Legal and Communication Dept.
NSAPDP

17th June 2014