The National Supervisory Authority finalized in May 2022 an investigation at the controller Wine Point S.R.L. and found the breach of the provisions of Article 32 paragraph (2) letter b) of the General Data Protection Regulation.

Therefore, the controller Wine Point SRL was sanctioned with fine in amount of Lei 14,826.90 (the equivalent of EUR 3,000).

The investigation was started following an intimation through which a data subject reported that he/she received from the controller, through e-mail, a commercial message, that was addressed also to other persons, their e-mail addresses being visible to all the 810 recipients.

Within the investigation performed, it was found that the controller did not implement sufficient technical and organizational measures to ensure the confidentiality of the personal data processed by providing from the electronic post address of the controller of a promotional commercial message to the e-mail addresses of several data subjects.

Therefore, Wine Point S.R.L. disclosed unauthorized personal data, which represented a breach of the provisions of Article 32 paragraph (1) letter b) of the General Data Protection Regulation.

Also, it was recommended to the controller Wine Point S.R.L. to implement appropriate technical and organizational measures for the case of remote provision of the personal data.

Legal and Communication Department

ANSPDCP