Sanction for the infringement of GDPR
The National Supervisory Authority finalised, during March 2022, an investigation at the controller IKEA Romania S.R.L. and found the breach of the provisions of Article 12 paragraph (3) from the General Data Protection Regulation.
Therefore, the controller was sanctioned with a fine in amount of Lei 4,949 (the equivalent of EUR 1,000).
The investigation was started following a complaint through which the data subject claimed that he/she addressed to the controller for the erasure of an user account.
Within the investigation performed, it resulted that the data subject, through repetitive requests, has exercised his/her right to erasure of his/her personal data from an Ikea user account, created based on an e-mail address.
The National Supervisory Authority found that the controller IKEA Romania S.R.L. did not prove that it provided within the legal deadline a response to the requests through which the data subject exercised his/her right to erasure provided under Article 17 from the General Data Protection Regulation, which represents a breach of the provisions of Article 12 paragraph (3) from the General Data Protection Regulation.
Through Article 12 paragraph (3) from the General Data Protection Regulation it is established that:
“The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.”
At the same time, within the investigation, also the corrective measure to take all necessary measures in order to observe, in all cases, the rights of the data subjects provided under the General Data Protection Regulation, was applied to the controller.
Legal and Communication Department