Sanction for the infringement of GDPR
The National Supervisory Authority finalised in February 2021 an investigation at the controller BNP Paribas Personal Finance SA Paris Bucharest Branch and found the ”violation of the provisions of Article 12 regarding the unsolicited communications”, provided under Article 13 paragraph (1) letter q) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, amended and supplemented.
Therefore, the controller BNP Paribas Personal Finance SA Paris Bucharest Branch was sanctioned with a fine in amount of Lei 10,000.
The investigation was started following a complaint submitted by the data subject in relation to the fact that he has received on his telephone number a commercial type SMS message from BNP Paribas Personal Finance S.A. Paris Bucharest Branch.
Following the investigation it was found that the controller did not proof the existence of the prior consent of that data subject, according to Article 12 of Law no. 506/2004, amended and supplemented, although the claimant has previously exercised, repeatedly, the right to object to the processing of his personal data for marketing purposes.
The provisions of Article 12 of Law no. 506/2004, amended and supplements, states the following:
”(1)The undertaking of commercial communications by using automated calling systems without human intervention, fax, electronic mail, or any other method employing publicly available electronic communications services, is forbidden, except in cases where the subscriber concerned has previously given his/her consent to receive such communications.
(2) Notwithstanding paragraph (1), where a natural or legal person directly obtains from a customer his/her electronic mail address, in the context of the sale of a product or a service to that customer, in accordance with the provisions of the Law no. 677/2001, the natural or legal person concerned may use that electronic mail address for undertaking commercial communications referring to similar products or services marketed by that person, provided that customers are given clearly and distinctly the possibility to object, free of charge and in an easy manner, to such use when the electronic mail address is obtained and on the occasion of each message in case the customer has not initially objected.
(3) In any event, the undertaking of commercial communications by electronic mail concealing the real identity of the sender on whose name and behalf the communication is made, with the breach of Article 5 from Law no. 365/2002, republished, or without specifying a valid address to which the recipient may send a request that such communications cease or through which the recipients are encouraged to visit Internet pages that contravene Article 5 from Law no. 365/2002, republished, shall be prohibited.
(4) The provisions of paragraphs (1) and (3) shall correspondingly apply to the subscribers who are legal persons.”
Also, Article V paragraph (2) of Law no. 129/2018 provides that ”all reference to Law no. 677/2001, with the subsequent amendments and supplementations, from the normative acts shall be construed as reference to the General Data Protection Regulation and to the law for its implementation.”
Legal and Communication Department