On 20 June 2023, the Romanian DPA announced that it had fined an online retailer:
- with EUR 30,000, for breaching Articles 12(2) and 17(1) of the GDPR on the requirement to facilitate the exercise of data subjects’ rights and to delete their personal data without undue delay
- with EUR 10,000 for breaching Article 6(1)(a) of the GDPR for continuing processing a data subject’s e-mail address without his/her consent following the request for rectification.
The Romanian DPA also issued a warning for breaching Articles 13(1)(c), (e), (f) and 14 (1)(c), (e), (f) of the GDPR, as at the time the Romanian DPA opened the investigation, the information on the website did not provide complete information on transfers to third countries, the purposes and the recipients of personal data in this context.
Furthermore, the Romanian DPA imposed the following corrective measures:
- to ensure that data subjects are fully informed by providing all the information required by Articles 13 and 14 of the GDPR, including in the context of the transfer of personal data to third countries, information to be available on the websites managed by the online retailer, in the national language version of each country
- to implement an anonymization method to prevent the risk of re-identification of individuals whose personal data are subject to this procedure, in accordance with Article 32 of the GDPR
- to provide regular training to the employees of the companies in the same group as the online retailer (in Romania, Hungary and Bulgaria) on the procedure to be followed to properly manage the data subjects’ requests under the GDPR.
Facts:
As part of the cooperation mechanism provided for in the GDPR, the Romanian DPA was notified by the Hungarian DPA of complaints filed by three individuals from Hungary against an online retailer.
The Hungarian DPA considered the Romanian DPA to be the lead supervisory authority in this case, as the online retailer has its main establishment in Romania. The Romanian DPA accepted the proposal to act as lead supervisory authority.
Findings of the Romanian DPA:
During its investigation of the three reported complaints, the Romanian DPA found the following:
1. In the first case, a complainant requested the deletion of the account that he/she had created on the Hungarian website by sending an e-mail to a general information e-mail address. In the reply received from this e-mail address, the complainant was asked to send a dated and signed (scanned or photographed) request to another e-mail address that appeared to be dedicated to data protection issues.
The Romanian DPA found that the online retailer did not provide regular and adequate training to the group’s employees on the procedure to be followed in dealing with data subjects’ requests.
It was found that the training of the employees of the Hungarian entity was mainly provided at the time of recruitment and within each entity of the group, and thereafter only in “specific and particular situations at departmental level”.
However, the Romanian DPA noted that, under Article 24 of the GDPR, the controller is required to implement appropriate technical and organizational measures, including adequate data protection policies, to ensure and be able to demonstrate that processing is carried out in accordance with the GDPR. These policies should adequately address the handling of requests received from data subjects, as well as the implementation of regular training for employees involved in the processing of personal data.
2. In the second case, another complainant requested the deletion of his/her personal data to several of the online retailer’s e-mail addresses, including via the contact form on its website, but this was not possible because the complainant’s request was rejected by the servers as coming from an untrusted address.
The Romanian DPA found that the establishment of a single and exclusive communication channel to be used by the data subjects, as well as the lack of adequate information on certain limitations from a technical point of view, could lead to an unjustified restriction of their rights.
It was also found that the information on the Hungarian website did not contain complete information on transfers to third countries, the purposes and the recipients in this context, as required by Articles 13(1)(c), (e), (f) and 14 (1)(c), (e), (f) of the GDPR.
The Romanian DPA mentioned that the online retailer had amended its personal data processing policy, published on its websites, to allow data subjects to submit requests under the GDPR both by e-mail and by post/courier to a physical address in that country.
3. In the third case, another complainant complained that one of his/her e-mail addresses was still being processed, despite his/her request to replace it with another email address.
The Romanian DPA found that although the request for rectification was initially granted, when the online retailer confirmed to the complainant that his/her e-mail address had been corrected, the original e-mail address was still processed in the context of a lengthy correspondence with the complainant.
As it was found that the complainant’s e-mail address was still stored in the database for the purpose of fulfilling the legal obligation to keep accounting records, in view of the electronic invoices previously sent, the Romanian DPA considered that this purpose of processing was different from the one related to the handling of complaints, so that the reactivation of this e-mail address and its use in electronic correspondence would have been possible only on the basis of the data subject’s consent.
The Romanian DPA noted that the three cases were analyzed in the light of the criteria for individualization of fines set out in Article 83(2) and (3) of the GDPR, including by reference to the negligent nature of the online retailer’s culpability in these cases, the measures adopted by the online retailer in the course of the investigation to remedy some of the issues raised, as well as the previously existing sanctions applied by the Romanian DPA against the same online retailer.
The Romanian DPA noted that the cooperation procedure based on Article 60 of the GDPR was followed.
The press release is available here (only in Romanian).
