The National Supervisory Authority for Personal Data Processing completed an investigation at the controller PPC Energie Muntenia S.A and found the infringement of Article 17 of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 4,977.1 lei (the equivalent of 1,000 euros).

The investigation was started as a result of a complaint submitted by a data subject who indicated that he had received unsolicited commercial messages on his e-mail address.

During the investigation, it was found that the data subject exercised his right of erasure several times regarding the termination of the processing of his e-mail address by the controller.

Although the data subject received confirmation that the said e-mail address will no longer be used for the indicated place of consumption and will be deleted from the database, and the account created with the petitioner’s e-mail address was deleted, the controller continued to send electronic messages.

As such, the controller did not comply with the client’s requests by which he requested the termination of processing by deleting his e-mail from this database, thus violating the provisions of Article 17 of Regulation (EU) 2016/679.

At the same time, pursuant to Article 58 paragraph (2) letter c) of the GDPR, the corrective measure of reviewing/updating/implementing some internal procedures regarding the way of handling the requests submitted by the data subjects, pursuant to Articles 12-22 of Regulation (EU) 2016/679, compliance in all cases with the applicable provisions regarding the assessment and handle of these requests without delay, so that the controller ensures that it effectively responds to the requests through which the rights of the data subjects are exercised, as well as the regular training of the controller’s staff in this regard was ordered against the controller.

Legal and Communication Department

A.N.S.P.D.C.P