On 10 July 2023, the Romanian DPA announced that the Bucharest Tribunal, in the first instance, maintained the inspection minutes which found that the national consumer protection authority (“ANPC”) had collected a large amount of personal data from the complaints received through WhatsApp, which was not under ANPC’s full control, without taking into account the risks involved, thus breaching Article 32(2) of the GDPR.
For the ANPC’s violation found in 2022, the Romanian DPA imposed a reprimand based on the Law implementing the GDPR, as well as a corrective measure to process personal data only by using means of processing personal data under its control. Such measures include the implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR. The investigation was launched following several complaints that the ANPC decided to assign mobile phone numbers to receive complaints, even though the ANPC had other means of receiving petitions (email, online, website, mail).
In light of the Romanian DPA’s findings contained in the inspection minutes, the court dismissed the ANPC’s appeal as unfounded.
In this context, the Romanian DPA emphasizes that processing data through WhatsApp might breach the individuals’ right to privacy and protection of personal data by reference to the principles relating to the processing of personal data under the GDPR.
The press release is available here (only in Romanian).
