13/05/2021
A new sanction for the infringement of GDPR
The National Supervisory Authority finalised on 23.04.2021 an investigation with the controller Telekom Romania Communications SA and found the breach of the provisions of Article 6 and 21 from the General Data Protection Regulation.
The controller Telekom Romania Communications SA was sanctioned with a reprimand for the breach of the provisions of Article 6 from the Regulation (EU) 2016/679 and with a fine in amount of Lei 9.851,40 (the equivalent of the amount of Eur 2,000) for the violation of Article 21 from the same Regulation.
The sanctions were applied following a complaint through which it was argued that the claimant was contacted on his telephone number for marketing purposes by a representative of Telekom, although he has withdrawn his consent for the use of his personal data together with the termination of the contractual relationship with the controller.
Subsequently, the claimant has exercised his right to object to the processing of his personal data for marketing and advertising purposes by requesting to the controller the deletion of his phone number and e-mail address from the Telekom database.
Nevertheless, the claimant was contacted again by a Telekom representative for marketing purposes. Therefore, the claimant has submitted a new request to the controller in order not to be further contacted and to delete his phone number and e-mail address from the database.
Following this request, the controller communicated to the claimant that his e-mail and phone number have been deleted from the clients’ management system, also confirming that he has been called by a Telekom representative which, by human error, did not realize that he did not have the permission of the claimant to call him.
During the investigation carried out the National Supervisory Authority found that Telekom România Communications S.A. has processed the personal data of the claimant for marketing purposes without having a legal basis, thus breaching the provisions of Article 6 of the GDPR.
Also, the controller has contacted by phone the claimant although the latter had exercised his right to object, thus breaching the provisions of Article 21 of the GDPR.
In this context, we remind that within Chapter III from the Regulation (EU) 2016/679 the rights of the data subject are regulated: the right to information, the right of access, the right to rectification, the right to erasure (”the right to be forgotten”), the right to restriction of processing, right to data portability, right to object, the right not to be subject to a decision based solely on automated processing, the right to lodge a complaint with a competent supervisory authority.
Legal and Communication Department
ANSPDCP