09.08.2022
Sanction from the infringement of GDPR
The National Supervisory Authority finalized in June 2022 an investigation at the controller CDI Transport Intern si International SRL and found the breach of the provisions of Article 58 paragraph (1) letter a) and e) and Article 12 paragraph (1) of the General Data Protection Regulation.
Therefore, the controller was sanctioned:
- with fine in amount of Lei 34,630.60 (the equivalent of EUR 7,000) for the breach of the provisions of Article 58 paragraph (1) letters a) and e) of the General Data Protection Regulation;
- with reprimand, for the breach of the provisions of Article 12 paragraph (1) of the General Data Protection Regulation.
The investigation was started following an intimation through which it was notified that on the website of the company there is no information on the manner of collection of the personal data, on the rights provided under Article 15-22 of the General Data Protection Regulation that the data subjects benefit from, on the manner of exercise of these rights and on the fact that the controller has the obligation to inform the data subjects in case of breach of the personal data security.
Within the investigation performed, following the fact that the controller did not provide the information requested by our institution within the legal deadline, it was found the breach of the provisions of Article 58 paragraph (1) letters a) and e) of the General Data Protection Regulation.
Also, it was found that the controller CID Transport Intern si International SRL did not ensure a clear, complete and accurate information of the data subjects whose personal data are processed by the company, given that it did not provide all the information stipulated under Articles 12-22 of the General Data Protection Regulation, such as those regarding the purpose of the processing and the legal basis, the identity and contact data of the controller, the period for which the data will be stored or the criteria used to establish this period, the conditions for exercise of the rights. Therefore, the breach of the provisions of Article 12 paragraph (1) of the General Data Protection Regulation was found.
At the same time, the corrective measure to ensure the information of the data subjects through the communication under a concise, transparent, intelligible and easily accessible form of all information provided under Article 12 of the General Data protection Regulation was also taken against the controller.
Legal and Communication Department
A.N.S.P.D.C.P.