The National Supervisory Authority for Personal Data Processing, completed, in August current year, an investigation at the controller Dr. MAx SRL and found a violation of the provisions of Article 12 paragraphs (3) and (4) and of Article 17 of the General Data Protection Regulation (GDPR).

As such, the controller was sanctioned with a fine of 5057.8 lei, the equivalent of 1000 euros.

The investigation was initiated following a complaint by which the petitioner complained about the refusal of the controller Dr.Max SRL to comply with her request to delete personal data.

During the investigation, the National Supervisory Authority found that an employee of the controller had retained a copy of the complainant’s identity card without her consent.

It was also found that the controller had not presented evidence of communication of a response to the complainant’s request by which she had exercised her right to delete data from the controller’s records, thus infringing the provisions of Article 12 paragraphs (3) and (4) and Article 17 of the GDPR.

At the same time, pursuant to the provisions of Article 58 paragraph (2) letters c) and d) of Regulation (EU) 2016/679, the following corrective measures were ordered against the controller Dr.Max SRL:

revising/updating/implementing internal procedures regarding the manner of handling requests submitted by data subjects pursuant to Regulation (EU) 2016/679 (Articles 12-22), complying in all cases with the applicable provisions regarding the assessment and handling of these requests without delay, so that the controller ensures that it effectively responds to requests through which the rights of data subjects are exercised, as well as regularly training the operator’s staff in this regard;
communicating a response to the applicant to the request to exercise the right to erasure on the date.

We mention that the controller Dr. Max SRL paid the fine imposed.

Legal and Communication Department

A.N.S.P.D.C.P