On 11 May 2023, the Romanian DPA announced two fines of (i) EUR 1,000 for infringement of Art. 12 para. (4) in conjunction with Art. 15 para. (3) of the GDPR, and (ii) EUR 10,000 for infringement of Article 12 para. (2) in conjunction with Art. 15 para. (3) and (4) of GDPR.
There seems to be an increase in the fines’ amount for violations of data subjects’ rights compared to those previously imposed by the DPA.
The Romanian DPA initiated the investigation following a complaint alleging that the controller refused to fully comply with the data subject’s request to exercise the right of access and failed to provide certain information to the data subject.
The investigation was completed in March 2023 and held the violation of Articles 12 (“Transparent information, communication and modalities for the exercise of the rights of the data subject”) and 15 (“Right of access by the data subject”) of the GDPR, as follows:
- the controller did not prove that it had provided a complete response to the data subject’s request, as it did not communicate a copy (in the requested form) of the personal data processed and did not send the reply to the postal address mentioned in the contract, as requested by the data subject (infringement of Art. 15 para. (3) of the GDPR);
- the answer sent to the data subject by e-mail did not contain information on the possibility to lodge a complaint with a supervisory authority and to lodge a judicial remedy for the refusal to provide him with a copy of the requested video recording (infringement of Art. 12 para. (4) in conjunction with Art. 15 para. (3) of the GDPR);
- the controller did not provide evidence showing that it had adopted measures to facilitate the exercise of the data subject’s right of access to copies of the video recordings (infringement of Article 12 para. (2) in conjunction with Art. 15 para. (3) and (4) of the GDPR).
Additionally, the following corrective measures were also ordered against the controller:
- to respond to the data subject’s request by communicating all the information set under Art. 15 para. (1) and (2) of the GDPR and the copy of the personal data referred to in Art. 15 para. (3) of the GDPR, adapted to the particular situation of the data subject, in the format requested by the data subject (i.e., by post as indicated by the data subject);
- to take appropriate technical and organizational measures to facilitate the exercise of the rights of data subjects, in particular the right of access to a copy of their personal data undergoing processing, including by using software allowing the editing of information likely to prejudice the rights and freedoms of others.
The details presented in the press release do not show whether the DPA has considered or anticipated any of the main findings outlined this month by the Court of Justice of the European Union (“CJEU”) in its judgment delivered in Case C-487/21 (Österreichische Datenschutzbehörde and CRIF).
Among others, by this judgment, the CJEU interpreted that the right to obtain from the controller a “copy” of the personal data entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases that contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by the GDPR (see our previous update on this here).
The press release is available here (only in Romanian).