05.02.2024
Fine for the breach of the GDPR
The National Supervisory Authority finalized in January 2024 an investigation at an Owners’ Association from Miercurea Ciuc and found that the latter breached the provisions of Article 5 paragraph (1) letters a), c) and paragraph (2) and Article 6, Article 12 paragraphs (3) and (4) by reference to Article 83 paragraph (5) letter e) from the Regulation (EU) 2016/679 (GDPR).
The controller was sanctioned with fines in total amount of Lei 2,486.2, the equivalent of EUR 500.
The investigation took places following a complaint through which it was argued that the controller disclosed the data of a natural personal by posting a notification on the WhatsApp group of the members of the Owners’ association through which the claimant was requesting several information and documents regarding the functioning of the Authority.
Within the investigation started it was found that the controller disclosed unlawfully and excessively the claimant’s data though the posting on the WhatsApp group of the Owners’ Association of a notice provided by the latter to the Association (first name, last name and domicile address from Bucharest), against Article 5 paragraph (1) letters a), c), paragraph (2) and Article 6 from the GDPR.
Also, it was found that the Owners’ Association did not present proofs regarding the communication of a response to the request of the claimant through which the latter exercised the rights of access, deletion and opposition, thus breaching the provisions Article 12 paragraphs (3) and (4) from the legal enactment mentioned above.
Also, it was found that the controller did not present proofs regarding the application of the corrective measures ordered through the findings/sanctioning report previously concluded by our institution, thus breaching an order of the National Supervisory Authority, that represents the contravention provided under Article 83 paragraph (5) letter e) from the GDPR.
At the same time, the following corrective measures were ordered to the Owners’ Association:
- to provide a written response to the claimant’s request, to provide her the information requested based on the right of access and respectively, the measures adopted following the exercise of the rights to deletion and opposition;
- to ensure the compliance with the GDPR of the personal data processing operations, so as the personal data of the data subjects, including of the association’s members, to be processed with the strict observance of the processing principles and rules provided mainly under Articles 5 and 6 from the GDPR, sense in which inclusively a corresponding training of the persons that are processing personal data under its authority is to be performed and shall provide adequate instructions to the processors, according to Article 28 from the GDPR;
- to respond in writing to the request of the claimant, in order to communicate her the measures adopted following the exercise of the right to erasure and to opposition;
- to ensure the compliance with the GDPR of the personal data processing operations, through the adoption of the necessary organizational measures, inclusively from the perspective of the corresponding training of the personnel appointed in this respect, so as the controller to respond to the requests through which the data subjects are exercising their rights, within the deadlines and according to the conditions provided under Articles 12-23 from the GDPR.
Legal and Communication Department
A.N.S.P.D.C.P.