Home » sanctiuni0
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

Press Release

 

In May 2016, the National Supervisory Authority for Personal Data Processing carried out several inspections ex officio or following the complaints or notices received, as a result of which sanctions were applied.

Among them, we present the cases where sanctions have been applied with a minimum fine of 5000 lei.

1. B.R.D.

It was ascertain the offence of “illegal processing of personal data” – offence provided in Article 32 of Law no. 677/2001 because BRD Groupe Societe Generale SA transmitted negative data to Biroul de Credit SA for several natural persons without proving the prior information of the data subject in conformity with the conditions set up in Article 8 (2) and Article 9 (1) of A.N.S.P.D.C.P. Decision no. 105/2007 corroborated with the provisions of Article 12 (1) of Law no. 677/2001.

For this offence, a fine of 23.000 lei was applied.

2. I.N.G.

It was ascertain the offence of “illegal processing of personal data” – offence provided in Article 32 of Law no. 677/2001 because ING Bank N.V. Amsterdam, Bucureşti branch transmitted several times during the same month negative data to Biroul de Credit SA for the same delay of payment (taking into account the obligation of payment due), namely the transmission of these negative data does not observe the 30 days deadline which is contrary to the provisions of Article 5 (1) of .N.S.P.D.C.P. Decision no. 105/2007 corroborated with the provisions of Article 4 (1) (a) and (c) of Law no. 677/2001.

For this offence, a fine of 20.000 lei was applied.

3. OTP Bank Romania S.A.

It was ascertain the offence of “illegal processing of personal data” – offence provided in Article 32 of Law no. 677/2001 because OTP Bank România S.A. transmitted negative data to Biroul de Credit SA for several natural persons without proving the prior information of the data subject in conformity with the conditions set up in Article 8 (2) of A.N.S.P.D.C.P. Decision no. 105/2007, Article 12 (1) of Law no. 677/2001 and Article 9 (1) of A.N.S.P.D.C.P. Decision no. 105/2007 corroborated with Article 12 of the same decision.

For this offence, a fine of 5.000 lei was applied.

4. S.C. Farmacia Dona S.R.L.

The following contraventions were noted: 

  1. “Failure to notify and malevolent notification” provided by Article 31 of Law no. 677/2001 because S.C. Farmacia Dona S.R.L., even if it started to use the electronic system establishing the working hours of the employees – biometric data since July 2015, did not notify A.N.S.P.D.C.P. before starting the processing, according to the obligations provided under Article 22 (1) of Law no. 677/2001;
  2. “Illegal processing of personal data” provided by Article 32 of Law no. 677/2001 because S.C. Farmacia Dona S.R.L. processed the biometric data starting with July 2015, biometric data which are considered excessive considering the purpose of the processing, namely establishing the working hours of the employees, because other means could have been used (less intrusive) in order to achieve the purpose, thus infringing Article 4 (1) of Law no. 677/2001.

For these offences, sanctions of an amount of 9.000 lei were applied:

       1. fine of 1.500 lei for the contravention provided by Article 31 of Law no. 677/2001

       2. fine of 7.500 lei for the contravention provided by Article 32 of Law no. 677/2001

5. S.C. Urgent Cargus S.R.L.

The following contraventions were noted: 

  1. “Failure to notify and malevolent notification”, provided by Article 31 of Law no. 677/2001 because S.C. Urgent Cargus S.R.L. failed to submit the notification provided under Article 22 paragraph (1) and Article 15 (1) A.N.S.P.D.C.P. Decision no. 52/2012 for the purpose “monitoring/security of individuals, public/private areas and/or goods” even if it had such an obligation;
  2. The non observance of the conditions provided by Article 4 (5) of Law no. 506/2004, amended and completed, because with reference to the website www.urgentcargus.ro, for the information stored in the terminal device of the user, S.C. Urgent Cargus S.R.L. did not fulfil the conditions provided under Article 4 (5) (a) and (b) of Law no. 506/2004 and did not obtain the consent of the concerned user for the existing cookies on www.urgentcargus.ro and did not provide, prior to expressing the consent, information referring to the general purpose of processing the information stored, the lifetime, what information are stored and accessed, as well as allowing the storage and/or access of third parties to the information retained on the terminal device of the user, contravention provided in Article 13 (1) (i) of Law no. 506/2004;
  3. “Failure to fulfill the obligations regarding the confidentiality and enforcement of security measures”, provided by Article 33 of Law no. 677/2001 because S.C. Urgent Cargus S.R.L. did not take sufficient confidentiality and security measures for the processed data and did not apply adequate technical and organisation measures in order to protect the personal data against the disclosure or unauthorized access, according to Article 20 of Law no. 677/2001.

For these offences, sanctions of an amount of 10.000 lei were applied.