Fine for the infringement of GDPR
The National Supervisory Authority finalised on 24.02.2022 an investigation at the controller Briza Land SRL and found the breach of the provisions of Article 15 of the General Data Protection Regulation (GDPR).
The controller Briza Land S.R.L. was sanctioned with fine in amount of Lei 9,892.6, the equivalent of EUR 2,000.
The investigation was started following a complaint through which the claimant was arguing that he is not satisfied with the response received from the controller at his request for exercise of the right of access provided by Article 15 of the General Data Protection Regulation.
Within the investigation, it was found that the controller did not communicate to the claimant all the information regarding the processing of his personal data (such as the personal data processed, the source of the data, the data recipients), thus breaching the provisions of Article 15 of the GDPR.
In this context, we reiterate that Article 15 of GDPR provides that “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b)the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”
Also, the corrective measure to communicate to the controller all the information regarding the processing of personal date, including the personal data processed, the source of the data, the recipients of the data, following its request for exercise of the right of access, according to Article 15 of GDPR, was ordered within 5 working days as of the communication of the minutes.