Home » Comunicat_Presa_20.06.2023
 Română | English | Francais

20.06.2023

 

Sanction for the GDPR infringement

 

Based on the cooperation mechanisms provided under Regulation (EU) 2016/679, the National Supervisory Authority was contacted by the Data Protection Authority from Hungary (DPA) in relation to the complaints submitted by three natural persons from this state against Dante International SA.

DPA Hungary considered the National Supervisory Authority as being the Lead Supervisory Authority in this case, given that this company has the main registered office in Romania.

The National Supervisory Authority accepted the proposal to act as lead supervisory authority, considering that Dante International SA established, through the emag website (with versions in the official language of three countries: Romania, Hungary and Bulgaria), the performance of personal data processing operations in the context of the ordering of the products that it sales online (directly or through partners).

Therefore, within the investigations performed by the National Supervisory Authority for the handling of the 3 cases reported, the following aspects were found:

  1. In the first case, a claimant requested the deletion of the account created on emag.hu, by having a correspondence in this respect on the address info@emag.hu. Within the response received from this address, the client was requested to send a dated and signed request (scanned or photographed) at the address data.protection@emag.ro.

Within the investigation performed for the handling of this complaint, the National Supervisory Authority found the lack of a regular and adequate training of the employees from the group by Dante International SA, regarding the procedure to be followed for the handling of the data subjects’ requests.

It was found that the training of the personnel of the entity from Hungary is mainly performed when they are hired and within each entity from the group, and subsequently only “in specific and customized situations at department level.”

Or, according to Article 24 from the GDPR, the controller has the obligation to implement adequate technical and organizational measures, including adequate data protection policies, in order to guarantee and be able to prove that the processing is performed according to the GDPR. These policies shall correspondingly approach the handling of the complaints received from the data subjects and the performance of regular training sessions of the personnel involved within the personal data processing.

  1. In the second case, another claimant requested the erasure of his data to several e-mail addresses of the controller (data.protection@emag.ro, to info@emag.hu, to data.protection@emag.hu) and, inclusively, through the contact form existing on its website, but this was not possible given that the eMag servers rejected his request as coming from an address that is not trustworthy.

Regarding the automatic rejection of the claimant’s requests, the controller argued that his servers use public lists provided by a third party, on which it does not hold control, and that situation was possibly generated by the bad/weak reputation of the service @freemail.hu from the moment when the claimant sent those requests to Dante.

The situation found in this case proved that establishing an unique and exclusive channel of communication that the data subjects can use, as well as the lack of an adequate information on certain limitations from technical point of view cand lead to the unjustified restriction of their rights.

Also, it was found that the information from the website emag.hu did not contain complete information regarding the transfers to third countries, the purposes and recipients in this context, according to the provisions of Article 13 paragraph (1) letters c), e) and f) and of Article 14 paragraph (1) letters c), e), f) of the GDPR.

Following the investigation, the controller amended his personal data privacy policy published on the emag website, offering to the data subjects the possibility to send the GDPR based requests both on e-mail (to a address such as data.protection@emag.hu) and by post/courier to a physical location from that state.

  1. Another claimant reported that one of the e-mail addresses continued to be processed by Dante, although he requested its replacement with another e-mail address.

During the investigation performed, it was found that, although the rectification request was initially handled, when the controller confirmed to the claimant the rectification of his e-mail address, that address continued to be processed by Dante, in the context of a longer correspondence held with the claimant.

Given that it was found that the e-mail address of the claimant continued to be saved within the database for the purpose of fulfilling the legal obligation to keep the accounting justifying documents, considering the electronic invoices previously provided, the Supervisory Authority considered that this processing purpose is different from the one related to the handling of the claims, so the reactivation of this address and its use within the electronic correspondence would have been possible only based on the consent of the data subject, provided under Article 6 paragraph (1) letter a) from Regulation (EU) 2016/679.

Considering the aspects presented above, the Supervisory Authority found the following:

  • Dante International SA breached the provisions of Article 12 paragraph (2) by reference to Article 17 from GDPR, as well as the provisions of Article 17 paragraph (1) from the GDPR, regarding the obligation of the controller to facilitate the exercise of the data subjects’ rights and to erase their data without unjustified delays;
  • Dante International SA breached the provisions of Article 13 paragraph (1) letters c), e), f) and of Article 14 paragraph (1) letters c), e), f) from the GDPR, given that at the start of the investigation the information from the website emag.hu did not contain complete information on the transfers to third countries, the purposes and recipients of the data in this context;
  • Dante International SA breached the provisions of Article 6 paragraph (1) letter a) from the GDPR, given that it continued to processes the e-mail address of a data subject within a correspondence held with the latter, after the rectification request of the latter, without his consent.

The National Supervisory Authority considered that the circumstances of the cases mentioned above present a degree of gravity that imposes the application of a fine sanction against the controller. The cases have been analysed from the point of view of the individualization criteria of the fines provided under Article 83 paragraphs (2) and (3) from the GDPR, the following resulting:

  • The nature, gravity and duration of the breach – the non-observance of the transparency conditions provided under Article 12 from the GDPR regarding the facilitating of the exercise of the data subjects’ rights at the level of the Hungary company (part of the Dante group) and, implicitly, the failure to immediately adopt the measures for the erasure of the personal data for two data subjects from this country, according to Article 17; the failure to ensure a complete information on the website emag.hu in relation to the transfer of data to third countries, according to Article 13 and 14 from GDPR; the policy for handling the requests of the data subjects for the exercise of the rights provided under the GDPR, that, at least in the case of the company from Hungary, was limiting the modalities to submit the requests to a single communication channel (a dedicated e-mail address);
  • The negligent character of the guilt of the controller in these cases;
  • The remedy measures of some of the aspects reported, adopted by the controller during the investigations performed by DPA Hungary and ANSPDCP, both in the particular cases of the claimants and in relation to the general procedures applied by the controller;
  • The type of personal data processed within the claimants – the specific personal data for the placing of an online order, the payment and delivery of the product ordered (mainly first name, last name, e-mail address, telephone number, delivery address and/or invoice);
  • The previous existing sanctions, applied by ANSPDCP against Dante International SA.

Therefore, following the investigations performed, the National Supervisory Authority informed the other supervisory authorities, including the authority from Hungary, within an informal consulting procedure, based on Article 60 from Regulation (EU) 2016/679, regarding the conclusions resulting from the investigations performed in the three cases with cross-border impact, as well as in relation to the draft decision concluded by our institution.

Following the proposals provided by DPA Hungary, the National Supervisory Authority issued the final decision, according to the provisions of Article 60 from Regulation (EU) 679/2016.

Therefore, considering that Dante International SA performs a cross border processing, the provisions of Article 60 from Regulation (EU) 2016/679 were applied, as well as those of Article 16 paragraph (3), (5), (6), (7) of Law no. 102/2005, republished, that provide the application of the sanctions/corrective measures through decision of the ANSPDCP’s President, that is based on the findings report and the reports of the control personnel.

Therefore, Dante International SA was sanctioned:

  1. With fine in amount of Lei 148,830 (the equivalent of the amount of EUR 30,000) for the breach of the provisions of Article 12 paragraph (2) and of Article 17 paragraph (1) from Regulation (EU) 2016/679;
  2. With reprimand for the breach of the provisions of Article 13 paragraph (1) letter c), e), f) and of Article 14 paragraph (1) letters c), e), f) from Regulation (EU) 2016/679;
  3. With fine in amount of Lei 49,610 (the equivalent of the amount of EUR 10,000) for the breach of the provisions of Article 6 paragraph (1) letter a) from Regulation (EU) 2016/679.

At the same time, based on Article 58 paragraph (2) letter d) from Regulation (EU) 2016/679, the Supervisory Authority ordered to the controller the following corrective measures:

  • to ensure the full information of data subjects, by providing all the information mentioned in Articles 13 and 14 of Regulation (EU) 2016/679, including in the context of the transfer of personal data to third countries, information to be available on emag websites managed by the controller, in the national language version of each country
  • to implement an anonymisation method in order to prevent the risk of re-identification of the persons whose personal data are subject of this procedure, according to Article 32 of Regulation (EU0 2016/679
  • to take measures for the regular training of the personnel from the companies from Romania, Hungary and Bulgaria, that are part of the Dante companies’ group, in relation to the procedure that needs to be followed for the correct handling of the requests submitted by the data subjects based on Regulation (EU) 2016/679

 

Legal and Communication Department

A.N.S.P.D.C.P.