Home » Comunicat_Presa_20.03.2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

20.03.2025

Sanction for the breach of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in February 2025, an investigation at the controller ONE UNITED PROPERTIES S.A. and found the breach of Article 6, Article 12 paragraph (3), Article 15 and Article 17 of Regulation (EU) 2016/679.

As such, the controller was sanctioned:

  • with fine of 4,977.00 lei (the equivalent of 1,000 euros) for the infringement of Article 6 of Regulation (EU) 2016/679;
  • with fine of 4,977.00 lei (the equivalent of 1,000 euros) for the infringement of Article 12 paragraph (3), Article 15 and Article 17 of Regulation (EU) 2016/679

The investigation was initiated following the receipt of some petitions by which an individual claimed that the provisions of Regulation (EU) 2016/679 had been violated.

During the investigation, the National Supervisory Authority for the Processing of Personal Data found that the controller had sent the data subject, over a certain period of time, unsolicited commercial messages. In this context, the controller had not provided evidence of the existence of consent obtained from the data subject for the processing of his or her personal data for marketing purposes, thus violating the provisions of Article 6 of Regulation (EU) 2016/679.

At the same time, it was found that the data subject had requested, through repeated requests, the confirmation as to whether or not his or her personal data were being processed by the controller, as well as whether these data had been deleted, as he or she was receiving unsolicited commercial messages.

Thus, it resulted that the controller did not provide proof of the transmission of a response within the legal deadline of no more than one month to the requests for the exercise of the rights of access and deletion by the data subject. Therefore, the provisions of Article 12 paragraph (3), Article 15 and Article 17 of Regulation (EU) 679/2016 were violated.

At the same time, pursuant to the provisions of Article 58 paragraph (2) letters c) and d) of Regulation (EU) 2016/679, the following corrective measures were also ordered against the controller:

  • to take the necessary measures so that, in the future, the compliance of processing operations with the provisions of Regulation (EU) 2016/679 is ensured, respectively, to avoid the processing of personal data without the consent of the data subjects and without the existence of another legal basis for the processing of the data subjects’ data, including for marketing purposes, by referring to the provisions of Article 6 of Regulation (EU) 2016/679;
  • to adopt internal procedures regarding the manner of resolving requests submitted by data subjects pursuant to the provisions of Articles 12-22 of Regulation (EU) 2016/679, compliance in all cases with the applicable provisions regarding the analysis and resolution of these requests and the communication of responses to the data subjects within the legal deadlines, as well as regular training of the controller’s staff in this regard;
  • to send a response to the data subject to the requests to exercise the right of access and the right of deletion.

 

Legal and Communication Department

A.N.S.P.D.C.P