All sanctioned entities failed to provide the Romanian DPA with access to the requested information, which was necessary for the performance of the investigative duties of the supervisory authority. The fines are grounded on Article 83(5), letter (e) of the GDPR.
In the case of one of the private companies, the investigation started as a result of several petitioners having informed the Romanian DPA on the fact that they have received on their personal telephone numbers, via short message service (SMS), commercial messages promoting the services of a website owned by the legal entity, without their consent.
As concerns the homeowners association, the investigation started following a complaint where the petitioner claimed that he/she received no response to the request submitted to the respective homeowners association.
The Romanian DPA has not revealed the details of the investigation carried out in respect of the third sanctioned private company.
In all these three cases, with a view to perform the assessment of the facts, the Romanian DPA has send requests for additional information and explanations to the investigated entities. The sanctioned entities failed to respond to the requests of the Romanian DPA or failed to deliver all requested information/documentation.
It goes without saying that these GDPR fines are not of the type that we were used to see being imposed by the Romanian DPA - most of them being either for insufficient implementation of security measures to protect personal data or for non-observance of some of the GDPR data processing principles.
While all these sanctions are definitely based on the failure to provide access to information and documents in violation of Article 58(1) of the GDPR, the public announcements on the authority website refer rather to breaches of (or failure to comply with) corrective measures and not orders issued based on the investigative powers of the authority.
Besides the administrative fines, the Romanian DPA ordered once more to the sanctioned entities to provide the missing information/documents, the request being again presented as being a corrective measure.
It seems that the authority targeted to raise awareness among controllers and processors that it is in their best interest to provide the requested data in investigation contexts, and that cooperation with the supervisory authority is not optional.
All these measures – as well as the fact that there were three such sanctions within one month - signal to us that the Romanian DPA is open to raise the standards when it comes to dealing with data protection topics and cooperation with the supervisory authority.
Article provided by: Adelina Iftime Blagean and Nina Lazar (Wolf Theiss, Romania)
Dr. Tobias Höllwarth (Managing Director INPLP)