13.03.2023
Sanction for the GDPR infringement
The National Supervisory Authority finalised in January this year an investigation at the controller Modaone SRL within which it found the breach of the provisions of Article 12 and Article 13 from the General Data protection Regulation.
Therefore, the company Modaone SRL was sanctioned with fine in amount of Lei 9,871 (the equivalent of EUR 2,000).
The investigation was started following a complaint submitted by a data subject through which it reported that commercial messages were provided to his/her e-mail address from www.kalapod.net, with the breach of the right to object, although it was previously communicated that such messages no longer will be provided.
Within the investigation performed it was found that Modaone SRL, owner of www.kalapod.net, does not provide full, correct, accurate and updated information on the personal data processing, as provided under Article 13 from the GDPR (for example, the recipients of the personal data, the storage periods, the right to submit a complaint with the supervisory authority), also imposing excessing conditions for the exercise of the rights by the data subject, thus breaching the provisions of Article 12 and 13 from the GDPR.
At the same time, based on Article 58 paragraph (2) letter d) of the General Data protection Regulation, the following corrective measures were imposed to the controller:
- The implementation of adequate measures for the observance of the GDPR provisions, in order to further on process personal data of the data subjects for direct marketing purposes that envisage the use of electronic communication services (e-mail, telephone) only subject to obtaining their specific and prior consent, including the adoption of some procedures in this respect, and the corresponding amendment of the applicable sections on the website kalapod.net;
- The amendment of the section ”Terms and conditions” from the website kalapod.net in order for the data subjects to be provided with full, correct, accurate and updated information in relation to the processing of personal data; also, the excessive condition for the submission of the request ”in writing, dated and signed” in case they are provided by e-mail, as well as the excessive condition for the request of the copy of the identity card for the exercise of the rights provided under the GDPR will be eliminated.
Legal and Communication Department
A.N.S.P.D.C.P.