Home » Comunicat_Presa_07_09_2023
 Română | English | Francais

07.09.2023

 

Sanction for the GDPR infringement

 

The National Supervisory Authority for Personal Data Processing finalized in August 2023 an investigation at the controller ISRA Center Marketing Research SRL and found the breach of the provisions of Article 14 paragraph (2) letter f), Article 17 paragraph (1) letter c) and of Article 21 paragraph (1) from Regulation (EU) 2016/679.

The controller was sanctioned with two fines in total amount of Lei 9,898, the equivalent of EUR 2,000.

The investigation was started following a complaint submitted by a natural person that reported the fact that the controller sends him/her unsolicited messages on the e-mail address.

Within the investigation performed, the National Supervisory Authority found that ISRA Center Marketing Research SRL collected the personal data of the data subject (for example, the first name, last name, e-mail address, workplace) indirectly, from public sources, for the purpose of a proposal to participate at a market research.

Therefore, within the investigation, it resulted that the controller did not present proofs from which to result that it ensured a clear and complete information of the person whose personal data it collected from public sources, omitting to provide all the information provided under Article 14 from Regulation (EU) 2016/679, such as the collection source for the data (Article 14 paragraph (2) letter f)). Also, it was found that the source for the collection of the data was not clearly presented neither within the information available on the website of the controller.

Also, within the investigation, it resulted that ISRA Center Marketing Research SRL did not take the necessary measures to handle the request for the exercise the right to object to the processing of the data. Thus, the controller continued to process the data of the claimant by sending a new message, the provisions of Article 17 paragraph (1) letter c) and of Article 21 paragraph (1) from Regulation (EU) 2016/679 being thus breached.

Also, according to the provisions of Article 58 paragraph (2) letter d) from Regulation (EU) 2016/679, also the following corrective measures were applied to the controller:

  • to ensure the compliance with Regulation (EU) 2016/679 of the operations for the processing of personal data, by ensuring a clear and complete information of the data subjects, both on its own website and within other documents provided directly to the data subjects, by providing all the information mentioned under Articles 13 and 14, as the case may be, with the observance of the transparency conditions provided under Article 12 from the same Regulation;
  • To analyze the lawfulness of the personal data previously collected from other sources than directly from the data subjects and to eliminate from the evidence system, as the case may be, the personal data which processing was not performed with the observance of all the provisions of Regulation (EU) 2016/679.

We mention that the controller paid the countervalue of the sanctions imposed.

 

Legal and Communication Department

A.N.S.P.D.C.P.