Fine for the infringement of GDPR
The National Supervisory Authority finalised on 14.10.2021 an investigation at the controller IKEA ROMÂNIA S.A., following which the breach of the provisions of Article 31 paragraph (1) letter b) and paragraph (2) from the General Data Protection Regulation was found.
Therefore, the controller was sanctioned with a fine in amount of Lei 4,948.80 (the equivalent of Eur 1,000).
The investigation was started following the submission by IKEA ROMÂNIA S.A. to the National Supervisory Authority for Personal Data Processing of a personal data breach notification.
Thus, according to the mentions from the notification form, IKEA ROMÂNIA S.A. organised a drawings contest at which the children of the Ikea Family members participated. The participants have uploaded on the online platform dedicated to the members their own drawings, together with the participation forms that contained their personal data, the data of the parents/legal guardians, inclusively their consent. For the voting of the best drawing, there have been published on the online platform, by error, the drawings of the children, together with the personal data from the participation forms.
At the date of the investigation it was found that the data breach incurred resulted in the unauthorized disclosure of the personal data of the Ikea Family members (first name, last name and age of the children natural persons, first name, last name, city, country, e-mail, Ikea Family member number and holographic signature of the parent/legal guardian) on the online platform dedicated to the Ikea Family Members from Romania, accessible only to the latter, for approximately 40 hours with a number of 114 natural persons (half of them being children) being affected.
Therefore, it was found that this data breach resulted in compromising the data confidentiality, with the breach of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of the GDPR.
In this context, we remind that, according to Recitals 38 of the GDPR “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.”
Legal and Communication Department