Press Release
In May 216, the National Supervisory Authority for Personal Data Processing carried out several ex officio investigations or based on the complaints received and applied the following sanctions.
Among them, we present the cases where sanctions have been applied with a minimum fine of 5000 lei.
1. B.R.D.
It was ascertain the “illegal processing of personal data” – provided by Article 32 of Law no. 677/2001 because BRD Groupe Societe Generale SA reported negative data to Biroul de Credit S.A., for several data subjects, without their prior information, by nonobserving Articles 8 (2) and 9 (1) of ANSPDCP Decision no. 105/2007 and Article 12 (1) of Law no. 677/2001.
For this offence, a sanction of an amount of 23000 lei was applied.
2. I.N.G.
It was ascertain the “illegal processing of personal data” – provided by Article 32 of Law no. 677/2001 because S.C. ING Bank N.V. Amsterdam, Bucharest Branch reported several times in the same month negative data to Biroul de Credit S.A. (an evidence system for credit bureau), for the same outstanding payment (referring to the overdue payment obligation), without observing the 30 days deadline from the due date, contrary to the provisions of Article 5 (1) of ANSPDCP Decision no. 105/2007 and Article 4 (1) (a) and (c) of Law no. 677/2001.
For this offence, a sanction of an amount of 20000 lei was applied.
3. OTP Bank Romania S.A.
It was ascertain the “illegal processing of personal data” – provided by Article 32 of Law no. 677/2001 because OTP Bank România S.A. reported negative data to Biroul de Credit S.A., for several data subjects, without their prior information, by nonobserving Articles 8 (2) of ANSPDCP Decision no. 105/2007, Article 12 (1) of Law no. 677/2001, Article 9 (1) of ANSPDCP Decision no. 105/2007 and Article 12 of the same decision.
For this offence, a sanction of an amount of 5000 lei was applied.
4. S.C. Farmacia Dona S.R.L.
It was ascertain the following:
- “failure to notify and malevolent notification” provided by Article 31 of Law no. 677/2001 under the form of failure to notify because S.C. Farmacia Dona S.R.L., even if it started since July 2015 to use the system for clocking working hours of the employees based on their biometrics – fingerprints, did not notify ANSPDCP prior to starting the processing, according to the obligations provided by Article 22 (1) of Law no. 677/2001
- “the illegal processing of personal data” provided by Article 32 of Law no. 677/2001 because S.C. Farmacia Dona S.R.L. processed since July 2015 biometric data considered to be excessive taking into account the purpose of the processing, namely the system for clocking working hours, because other methods could have been used (less intrusive) in order to achieve this goal and thus infringing Article 4 (1) of Law no. 677/2001
For these offences, sanctions of an amount of 9000 lei were applied:
- a fine of 1500 lei for the contravention provided by Article 31 of Law no. 677/2001;
- a fine of 7500 lei for the contravention provided by Article 32 of Law no. 677/2001.
5. S.C. Urgent Cargus S.R.L.
It was ascertain the following:
- “failure to notify and malevolent notification” provided by Article 31 of Law no. 677/2001 under the form of failure to notify because S.C. Urgent Cargus S.R.L. did not prove the notification of personal data processing for “monitoring/security of persons, public/private areas and/or goods” through video surveillance means, even if it had that obligation, thus breaching the provisions of Article 22 (1) of Law no. 677/2001 and Article 15 (1) of ANSPDCP Decision no. 52/2012;
- “the nonobservance of the conditions provided by Article 4 (5) of Law no. 506/2004, amended and completed” because S.C. Urgent Cargus S.R.L., on the website www.urgentcargus.ro, for the information retained on the terminal device of the user, did not fulfilled in the same time the conditions provided by Article 4 (5) (a) and (b) of Law no. 506/2004, namely obtaining the consent of the concerned user for the cookies exiting on the website www.urgentcargus.ro and for providing the information, prior to expressing the consent, about the general purpose of processing the information stored, the lifetime, what information are stored and accessed, as well as allowing the storage/access of certain third parties to the information retained on the terminal device of the user, contravention sanction according to Article 13 (1) (i) of Law no. 506/2004;
- “failure to fulfill the obligations regarding the confidentiality and enforcement of security measures”, provided by Article 33 of Law no. 677/2001 because S.C. Urgent Cargus S.R.L., up to the date writing the report of the investigation, did not adopt sufficient measures of confidentiality and security of the data processed and did not implement adequate technical and organizational measures for the protection of personal data against the unauthorized disclosure or access according to Article 20 of Law no. 677/2001.
For these offences, sanctions of an amount of 10000 lei were applied:
- a fine of 2000 lei for the contravention provided by Article 31 of Law no. 677/2001;
- a fine of 8000 lei for the contravention provided by Article 13 (1) (i) of Law no. 506/2004.
- a warning for the contravention provided by Article 33 of Law no. 677/2001.
6. S.C. Bogas Online S.R.L.
It was ascertain the following:
- “the nonobservance of the provisions of Article 12 concerning the unsolicited communication” provided by Article 13 (1) (q) of Law no 506/2004 because S.C. Bogas Online S.R.L. transmitted commercial messages through the electronic mail from newsletter@bogas-news.eu without being able to prove the existence of the prior expressed consent of the data subject (existing in the database of the persons subscribed to newsletter), thus infringing Article 12 (1) of Law no. 506/2004;
- “the nonobservance of the provisions of Article 12 concerning the unsolicited communication” provided by Article 13 (1) (q) of Law no 506/2004 because S.C. Bogas Online S.R.L. transmitted to the electronic email of a data subject commercial messages through the electronic mail from newsletter@bogas-news.eu without being able to prove the existence of the prior expressed consent of the recipient, thus infringing Article 12 (1) of Law no. 506/2004;
- “failure to fulfill the obligations regarding the confidentiality and enforcement of security measures”, under the form of failure to fulfill the obligation concerning the enforcements of security measures for the personal data, provided by Article 20 of the same law because S.C. Bogas Online S.R.L. did not develop and implement sufficient technical and organizational measures in order to protect the personal data against the accidental destruction, unauthorized loss, destruction or access for the collected data.
For these offences, the following sanctions were applied:
- a fine of 6000 lei for the contravention provided by Article 13 (1) (i) of Law no. 5006/2004;
- a warning for the contravention provided by Article 13 (1) (i) of Law no. 506/2004;
- a warning for the contravention provided by Article 33 of Law no. 677/2001 corroborated with Article 20 of the same law.
7. S.C. Arhexim S.R.L.
It was ascertain the following:
- “failure to notify and malevolent notification” provided by Article 31 of Law no. 677/2001 under the form of failure to notify under the conditions of Article 22 (1) of Law no. 677/2001 because S S.C. Arhexim S.R.L. did not notify, since 2003 and up to the date writing the report of the investigation, the processing of personal data for the purpose of providing the services via the website www.singur.ro;
- “the illegal processing of personal data” provided by Article 32 of Law no. 677/2001, by infringing Article 4 (1) (a) and (c) and Article 5 of Law no. 677/2001 because S.C. Arhexim S.R.L. processes the personal data of minors, without the consent of their legal representatives, in an excessive way taking into consideration the purpose of the website www.singur.ro and without being able to prove the express consent of the persons whose personal data are provided when registering on this website; moreover, it was disregarded the right of information provided by Article 12 (1) of Law no. 677/2001 because, up to the date writing the report of the investigation, S.C. Arhexim S.R.L. did not ensure the information of the data subjects whose personal data are collected via the website www.singur.ro.
For these offences, sanctions of an amount of 5000 lei were applied:
- a fine of 1000 lei for the contravention provided by Article 31 of Law no. 677/2001;
- a fine of 4000 lei for the contravention provided by Article 32 of Law no. 677/2001.
8. S.C. Rol Online Network S.A.
It was ascertain the following:
“The nonobservance of the provisions of Article 12 concerning the unsolicited communication” provided by Article 13 (1) (q) of Law no 506/2004 because .C. Rol Online Network S.A. transmitted to the electronic email of a data subject commercial messages through the electronic mail from editor-promo@nletters2.rol.ro within September 2015 – March 2016 without being able to prove the existence of the prior expressed consent of the recipient, thus infringing Article 12 (1) of Law no. 506/2004;
For this offence, a sanction of an amount of 5000 lei was applied.
9. ERB Retail Services IFN S.A.
It was ascertain the following:
- the “illegal processing of personal data” – provided by Article 32 of Law no. 677/2001 because ERB Retail Services IFN S.A. reported negative data to Biroul de Credit S.A., data belonging to the credit cards of several natural persons, without being able to prove the prior information, within 15 day before the reporting, according to Article 12 (1) of Law no. 677/2001 and Article 8 of Decision no.105/2007;
- the “illegal processing of personal data”, provided by Article 32 of Law no. 677/2001, by breaching Article 14 (1) of the same law because S ERB Retail Services IFN S.A. did not answer the requests of a natural persons exercising the right of intervention, namely to adopt measures in order to delete the negative data transmitted to Biroul de Credit S.A., without his prior information.
For these offences, sanctions of an amount of 6000 lei were applied:
- a fine of 3000 lei for the contravention provided by Article 32 of Law no. 677/2001, with regard to Article 12 of Law no. 677/2001 and Article 8 of ANSPDCP Decision no. 105/2007, in conjunction with Article 8 of G.O. no. 2/2001;
a fine of 3000 lei for the contravention provided by Article 32 of Law no. 677/2001, with regard to Article 14 of the same law, in conjunction with Article 8 of G.O. no. 2/2001.