Home » Comunicat_Presa_02_05_2023
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

02.05.2023

Caselaw evolutions

 

With reference to the activity of representation before the courts, within the 2019-2020 period, the National Supervisory Authority for Personal Data Processing received a total number of 127 summons, out of which through 49 summons were challenged the sanctions applied within the investigations performed.

During 2022 a number of 42 new summons were received, out of which 22 summons have as object the challenge of the sanctioning reports issued by ANSPDCP.

From the cases through which the sanction/measures applies were challenged, until the data of 31st of March 2023, 23 files were finalized, and within 18 of these cases final decisions in favor of ANSPDCP were rendered.

Therefore, the judicial courts fully confirmed the fines applied by our institution to the following 11 controllers:

  • Banca Transilvania SA (EUR 100,000)
  • Vreau Credit SRL (EUR 20,000)
  • Proleasing Motors SRL (EUR 15,000)
  • Hora Credit IFN SA (EUR 14,000)
  • Dada Creation SRL (EUR 5,000)
  • Actamedica SRL (EUR 3,000)
  • Dante Internațional (EUR 3,000)  
  • Royal President SRL (EUR 2,500)
  • CN Poșta Română (EUR 2,000)
  • Nobiotic Pharma SRL (EUR 2,000)
  • CN Poșta Română (EUR 1,000)

Also, 5 cases in favor of the National Supervisory Authority were finalized by maintaining the findings/sanctioning reports in the sense of finding the misdemeanour nature of the deeds, with the reduction of the amount of the fine or its replacement with reprimand, in relation to the controllers: SC Entirely Shipping & Trading SRL (reduction), World Trade Center Bucharest SA,  Legal Company & Tax Hub SRL, Raiffeisen Bank (reduction), Asociația Asistenței Rutiere A-Car Vaslui.

5 contravention complaints, submitted by the following controllers, were grounded: ING Bank N.V. AMSTERDAM, CN Tarom, Tip Top Food Industry SRL, Artmark Holding, Viva Credit IFN SA.

In this context, we mention that the decisions issued by our institution through which the cease of the processing and the deletion of the personal data were ordered, have also been challenged in court, out of which we highlight the cases with Cluj territorial and administrative unit (Local Police Cluj) and Constanta territorial and administrative unit (Local Police), that has as object the illegal use of the audio-video portable surveillance by the local police officers (body camera).

Following the investigations performed, it was found that the controllers mentioned above have breached the provisions of Article 5 paragraph (1) letter a) with reference to Article 6 paragraph (1) from Regulation (EU) 2016/679, because the personnel of the Local Police, within the exercise of the specific missions and activities, has processed personal data by using the portable audio-video system “Body-Worn Camera” (image and video) without the existence of a legal obligation of the controller and without the fulfilment of any other condition provided under Article 6 paragraph (1) from GDPR.

Therefore, the reprimand sanction was applied, together with a Decision through which it was ordered for those controllers to terminate any personal data processing operation or set of operations performed through the “Body-Worn Camera” audio-video systems and to delete the system of evidence of the personal data created following the use of such systems.  

We underline that, through final decisions from 2022 and 2023, the courts maintained the decisions of the Authority through which the termination of the processing and the deletion of the images collected by the local police were ordered, following the investigations through which the lack of legality of those data processing was found.

In order to support the controllers preoccupied with the correct application of the data protection rules, we hereby present, as example, some excerpts from relevance causes within which the courts found the legality and as grounded the reports concluded by ANSPDCP, confirmed the approach of our institution.

  • Regarding the fine sanction in total amount of EUR 3,000, through final decision, the Bucharest Court of Appeal confirmed the sanction applied by ANSPDCP to the controller Dante International.

Thus, the court of appeal found that: “in this case, the sanction applied by the authority fully corresponds to these proportionality criteria given that, as it was already found, the deed was committed under the conditions in which the person that submitted the claim requested expressly to the appellant-plaintiff not to provide him commercial messages anymore.

Also, from the request for summons and the request for appeal it does not result that the appellant-plaintiff understood the fact that it performed an unlawful processing, his arguments being cantered in the fact that it acted fully in accordance with the legal provisions, through the attempt to mask under the appearance of a transactional messages a direct marketing message. Also, the Court finds that the appellant-plaintiff has also been sanctioned for breaches of the legal provisions regarding the processing of personal data(…).

On the other hand, the amount of the fine established by the appellant-defendant through the sanction report (the equivalent of EUR 3,000) is oriented to the special minimum established under the law and has a much lower value than the sanctions applied to other commercial operators for similar deeds.”

  • The Craiova Court of Appeal maintained, as well as the first court, the fine sanction in amount of EUR 2,000 ordered against the controller Nobiotic Pharma SRL, that did not provide the information requested by ANSPDCP within the investigation, aspect that represented a breach of the provisions of Article 85 paragraph (5) letter e) in conjunction with Article 58 paragraph (1) from Regulation (EU) no. 679/2016.

Therefore, it was found that “the claimant did not provide the information requested by the respondent (ANSPDCP), although three notification were addressed to it in this respect, reason for which the court considers that the respondent lawfully found the misdemeanour provided under Article 58 from Regulation (EU) 679/2016. ”

Regarding the individualisation of the sanction applied, “the court finds that the fine in amount of Lei 9,890, the equivalent of EUR 2,000, it proportionate to the degree of social danger of the deed committed in relation to the protection of personal data and the provisions of Article 85 paragraph (5) letter e) from Regulation (EU) 679/2016.”

Regarding the prescription period for the application of the fine, the Craiova Court of Appeal found that: “the provisions of GD no. 2/2001 are, in contravention field, provisions with a general character, thus finding their applicability each time a specific norm is not applicable. Within the case subject to this litigation, as the first instance found correctly, from the perspective of the prescription of theapplication of the fine sanction the provisions of Article 15 paragraph (4) from Law no. 102/2005 on the set up, organisation and functioning of the National Supervisory Authority for Personal Data Processing – Republished, provisions with special character and that applied with priority against the principle specialia generalibus derogant, is applicable. Therefore, every time there are derogatory provisions provided under special laws, applicable in that case, the latter have priority.

Or, in the case subject of this litigation specifically such a special provision, Law no. 102/2005, derogating from the common provisions, GD. No. 2/2001, is applicable.

Therefore, from the perspective of the prescription of the application of the fine, the provisions of Article 15 paragraph (4) from Law no. 102/2005, according to which the sanction provided under paragraph 1 can be applied within 3 years from the date of the deed.”

  • The Targu-Mures Court of Appeal maintained, as final, the fine sanction in amount of EUR 3,000 and the reprimand applied by ANSPDCP to the controller Actamedica SRL for the breach of the provisions of Article 12 paragraph (3), Article 15 paragraph (1), Article 28 paragraph (1), Article 32 and Article 33 from Regulation (EU) 2016/679 following a complaint regarding the loss of some biological samples and of a sum of money sent through a courrier company.

The court of appeal confirmed the solution of the first court, finding, among others, that: “the arguments (Actamedica) regarding its loss of liability cannot be retained, the provisions contained within the agreements concluded with other parties not being opposable to the persons that addressed exclusively to the appellant-plaintiff (Actamedica), entrusting to the latter the biological samples. In the same sense also the respondent-defendant showed that the appellant-plaintiff, as personal data controller,  together with the processor should have implemented adequate technical and organisational measures in order for the rights and freedoms of the natural persons not to be endangered, as more as the transport contained sensitive data, respectively to make sure that the processor offers sufficient guarantees for the implementation of the technical and organisational measures, in this respect also being the provisions of Article 28 paragraph (1) and Article 32 form the GDPR(…)

Moreover, as the respondent-defendant, the appellant Actamedica SRL is at fault given that, in case it would have consulted the Fan Courier website www.fancourier.ro regarding the general conditions for the provision of the postal services and the “Packaging Guide”, it could have easily observe that the biological samples/substances are forbidden to transportation and also that the postal shipments cannot contain “goods for which specific transportation conditions are established, through legal administrative, economic, sanitary provisions (…)”.

In the same case, the first court mentioned that “the fine in the amount applied is legal, efficient, proportionate and dissuasive and was established by taking into consideration the nature, gravity and consequences of the breach, as well as of all the other criteria provided under the Regulation, criteria that were correctly analysed by the defendant.”

“Regarding the validity of the sanctioning of the plaintiff, (…) the defendant prove that the constitutive elements of the misdemeanours found are fulfilled. Also, the plaintiff (Actamedica) did not prove the existence of another situation than the one retained within the findings report challenged.”

On the other hand, in order to ensure a full information of the large public, we underline a novelty aspect that recently intervened, regarding the ordering by the Bucharest Court of Appeal of sending some preliminary questions to the Court of Justice of the European Union, within file no. 31192/3/2019*, in which Inteligo Media SA challenged the fine in amount of EUR 9,000 applied by ANSPDCP, given that it challenged the processing principles, inclusively the conditions for obtaining the consent, through the non-observance of the provisions of Article 5 paragraph (1) letters a) and b), Article 6 paragraph (1) letter a) and of Article 7 from the General Data protection Regulation.

The preliminary questions are the following:

“1. In case a publication editor for online information press of the large public, not specialised within the domain, in relation to the legislative amendments appeared daily in Romania, obtains the e-mail address of an user with the occasion of the creation by the latter, free of charge, of an user account granting him the right (i) to access, free of charge, an additional number of articles of that publication, (ii) to receive, by e-mail, a daily information containing a synthesis with legislative novelties approached in articles from the publication and hyperlinks to those articles and (iii) to access, surcharge, additional and/or more extensive articles and analysis of the publication by reference to the daily information provided free of charge:

a) Is that e-mail address obtained by the editor of the online press publication “in the context of the sale of a product or service”, in the sense of Article 13 paragraph (2) from Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (Directive 2002/58/EC)”?

b) The provision by the press editor of an information such as the one described under point (ii) represents “the direct promotion of the own similar products and services”, in the sense of Article 13 paragraph (1) from Directive 2002/58/EC?

2. If the answers to questions no. 1 letters a) and b) are affirmative, which of the conditions provided under Article 6 paragraph (1) letters a)-f) from Regulation (EU) 2016/679 shall be interpreted as being applicable when the editor uses the e-mail address of the user with the purpose of providing a daily information such as the one described at question no. 1 point (ii), with the observance of the provisions of Article 13 paragraph (2) from Directive 2002/58/EC?

3. Article 13 paragraphs (1) and (2) from Directive 2002/58/EC shall be interpreted in the sense that it is against a national regulation that uses the notion of “commercial communication” provided under article 2 letter f0 from Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market ('Directive on electronic commerce') (“Directive 2000/31/EC”) instead of the notion of “direct marketing” provided under Directive 2002/58/EC? If the answer is negative, an information such as the one described at question no. 1 point (ii) represents a “commercial communication” in the sense Article 2 letter f) from Directive 2000/31/EC?

4. If the answers to questions no. 1 letters a) and b) are negative:

a) The provision by e-mail of a daily information such as the one described under question no. 1 point (ii) above represents “the use (…) of electronic mail for direct marketing purposes” in the sense of Article 13 paragraph (1) from Directive 2002/58/EC? Respectively

b) Article 95 from Regulation (EU) 2016/679 corroborated with Article 15 paragraph (2) from Directive 2002/58/EC shall be interpreted in the sense that the non-fulfillment of the conditions regarding the obtaining of a valid consent of the user according to Article 12 paragraph (1) from Directive 2002/58/EC will be sanctioned according to Article 83 from Regulation (EU) 2016/679 or according to the provisions of Directive 2002/58/EC that, also, contains specific applicable sanctions?

5. Article 83 paragraph (2) from Regulation (EU) 2016/679 shall be interpreted in the sense that, a supervisory authority deciding to take the decision if to impose an administrative fine, as well as the decision regarding the value of the administrative fine in each case, has the obligation to analyse and explain within the sanctioning administrative act the impact of each of the criteria provided under letters a)-k) on the decision to impose a fine, respectively on the decision regarding the amount of the fine applied?”

As evolution, we mention that in this case, initially (2020), the Bucharest Tribunal maintained the fine in amount of EUR 9,000 applied by ANSPDCP and the control report, and then the Bucharest Court of Appeal sent the case to be reheard, in 221, considering that the first court did not make any own concrete assessment on the grounds of illegality invoked by the plaintiff (Inteligo Media SA) by limiting to take-over the defences formulated by the plaintiff (ANSPDCP).

When re-judging, the Bucharest Tribunal found again (2021) the legality of the control report of ANSPDCP and established the fine in amount of EUR 4,500, with the following motivation:

Regarding the amount of the fine the tribunal considers that the reduction of its amount is necessary (from, EUR 9,000 to EUR 4,357, Lei equivalent at the BNR exchange rate from 26.09.2019, 4357 being the number of users (natural data subjects) that did not express their consent through an unequivocal action that represents a manifestation of free, specific, informed and unambiguous of the consent of the data subjects for the processing of his/her personal data), given that, on one hand, the plaintiff is at her first breach of the GDPR, legal enactment, relatively newly entered within the legal order when starting the illegal activity and, on the other hand, it took the decision to suspense the appearance of the discussed field, until the solving of the case.”

Currently, the litigation is in front of the Bucharest Court of Appeal (case file no. 31192/3/2019*).

In this context, we remind that preliminary questions addressed to be ECJ were also sent by the Bucharest Tribunal within the case between ANSPDCP and Orange (case file no. 12278/3/2018), and the point of view of ECJ from Cause C-61/19 confirmed the interpretation of ANSPDCP.

This litigation is also in front of the judicial courts.

 

Legal and Communication Department

A.N.S.P.D.C.P