Home » Comunicat_Presa_16_09_2024
 Română | English | Francais

16.09.2024

Sanctions for the infringement of the GDPR

 

The National Supervisory Authority for Personal Data Processing closed investigations on two data controllers and found the violation of Article 12 (3), Article 15 and Article 17 of the General Data Protection Regulation (GDPR).

The data controllers have received the following sanctions:

1. The data controller Vodafone România SA was sanctioned with an administrative fine in the amount of 14,930 RON (the equivalent of 3,000 EUR).

The sanction was imposed following a complaint that the controller failed to respond to the complainant’s request to exercise their rights of access and erasure under the GDPR.

During the investigation, the National Supervising Authority found that Vodafone România SA had not submitted any proof that it sent a reply to the complainant’s request to their rights of access and erasure within 30 days, the reply having been communicated to them by the controller after our institution had taken the appropriate steps.

In this context, the data controller Vodafone România SRL was sanctioned with a fine for the violation of Article 12 (3), Article 15 and Article 17 of the GDPR.

At the same time, a corrective measure has been imposed on the data controller Vodafone România SA, consisting of adopting internal procedures for handling requests of data subjects pursuant to the GDPR (Article 12-22), complying at all times to the applicable provisions concerning the prompt consideration and handling of such requests and the provision of replies to data subjects within the legal deadlines, as well as to train staff regularly.

2. The data controller SC Class IT Outsourcing SRL was sanctioned with an administrative fine in the amount of 4,976.7 RON (the equivalent of 1,000 EUR).

The sanction was imposed following a complaint that the controller failed to respond to the complainant’s request to exercise their right to erasure.

During the investigation, the National Supervising Authority found that SC Class IT Outsourcing SRL had not submitted any proof that it sent a reply to the complainant’s request to their right to erasure within 30 days, the reply having been communicated to them by the controller after our institution had taken the appropriate steps.

In this context, the data controller SC Class IT Outsourcing SRL was sanctioned with a fine for the violation of Article 12 (3) and Article 17 of the GDPR.

At the same time, a corrective measure has been imposed on the data controller, consisting of adopting internal procedures for handling requests of data subjects pursuant to the GDPR (Article 12-22), complying at all times to the applicable provisions concerning the prompt consideration and resolution of such requests and the provision of replies to data subjects within the legal deadlines, as well as to train staff regularly.

 

Legal and Communication Department

A.N.S.P.D.C.P.