Sanction of a controller for the infringement of the GDPR provisions
On the 27th of March 2020, the National Supervisory Authority finalised an investigation at the controller Dante Internațional S.A., the owner of e-MAG.ro and found that it infringed the provisions of Article 6 of the General Data Protection Regulation, in relation to the provisions of Article 21 paragraph (3) of the Regulation.
The controller Dante Internațional SA was sanctioned with an administrative fine of 14,420.4 lei, the equivalent of 3,000 euros.
The sanction was applied to the controller because at the end of 2019 it sent a commercial message to a natural person, although at the beginning of 2019 the controller had confirmed to him/her the unsubscription from commercial communications.
At the same time, two corrective measures were imposed to the controller Dante Internațional SA, pursuant to the provisions of Article 58 paragraph (2) letters c) and d) of the General Data Protection Regulation.
Thus, the controller was obliged to implement, within 3 working days from the communication of the minutes of finding/sanctioning, the request of the natural person to have deactivated from the database the setting regarding the transmission to his/her e-mail address of the commercial messages. At the same time, the controller was obliged to take measures, within 20 days from the date of communication of the minutes of finding/sanctioning, so that the provisions of Article 21 of the Regulation are respected.
In this context we mention that Article 21 paragraph (3) of the General Data Protection Regulation, provides that “where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”