Home » Comunicat_Presa_05_02_2024
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

05.02.2024

Fine for the breach of the GDPR

 

The National Supervisory Authority finalized in January 2024 an investigation at an Owners’ Association from Miercurea Ciuc and found that the latter breached the provisions of Article 5 paragraph (1) letters a), c) and paragraph (2) and Article 6, Article 12 paragraphs (3) and (4) by reference to Article 83 paragraph (5) letter e) from the Regulation (EU) 2016/679 (GDPR).

The controller was sanctioned with fines in total amount of Lei 2,486.2, the equivalent of EUR 500.

The investigation took places following a complaint through which it was argued that the controller disclosed the data of a natural personal by posting a notification on the WhatsApp group of the members of the Owners’ association through which the claimant was requesting several information and documents regarding the functioning of the Authority.

Within the investigation started it was found that the controller disclosed unlawfully and excessively the claimant’s data though the posting on the WhatsApp group of the Owners’ Association of a notice provided by the latter to the Association (first name, last name and domicile address from Bucharest), against Article 5 paragraph (1) letters a), c), paragraph (2) and Article 6 from the GDPR.

Also, it was found that the Owners’ Association did not present proofs regarding the communication of a response to the request of the claimant through which the latter exercised the rights of access, deletion and opposition, thus breaching the provisions Article 12 paragraphs (3) and (4) from the legal enactment mentioned above.

Also, it was found that the controller did not present proofs regarding the application of the corrective measures ordered through the findings/sanctioning report previously concluded by our institution, thus breaching an order of the National Supervisory Authority, that represents the contravention provided under Article 83 paragraph (5) letter e) from the GDPR.

At the same time, the following corrective measures were ordered to the Owners’ Association:

  • to provide a written response to the claimant’s request, to provide her the information requested based on the right of access and respectively, the measures adopted following the exercise of the rights to deletion and opposition;
  • to ensure the compliance with the GDPR of the personal data processing operations, so as the personal data of the data subjects, including of the association’s members, to be processed with the strict observance of the processing principles and rules provided mainly under Articles 5 and 6 from the GDPR, sense in which inclusively a corresponding training of the persons that are processing personal data under its authority is to be performed and shall provide adequate instructions to the processors, according to Article 28 from the GDPR;
  • to respond in writing to the request of the claimant, in order to communicate her the measures adopted following the exercise of the right to erasure and to opposition;
  • to ensure the compliance with the GDPR of the personal data processing operations, through the adoption of the necessary organizational measures, inclusively from the perspective of the corresponding training of the personnel appointed in this respect, so as the controller to respond to the requests through which the data subjects are exercising their rights, within the deadlines and according to the conditions provided under Articles 12-23 from the GDPR.

 

Legal and Communication Department

A.N.S.P.D.C.P.