The National Supervisory Authority has concluded in February 2021 an investigation at the BNP Paribas Personal Finance SA Paris Bucharest Branch and has revealed that the commission of the act of “non-compliance with what is required by the article 12 on unwanted communications” required by the article 13, paragraph 1, letter q) of the Law n. 506/2004 on personal data processing and privacy protection into the e-communications, modify and integrated. 

For this reason, the BNP Paribas Personal Finance SA Paris Bucharest Branch has been sanctioned with a fine of 10.000 lei. 

The investigation started after a complaint sent by the interest about the receipt on its mobile phone of a commercial SMS by BNP Paribas Personal Finance SA Paris Bucharest Branch.

After the investigation has arisen that the BNP Paribas Personal Finance SA Paris Bucharest Branch has not demonstrated the existence of the previous consent of the data subject, according to the article 12 of the Law n. 506/2004,  modified and integrated, even if the signatory has excited, a lot of times, the right to object to personal data processing for marketing purposes. 

The disposals of the article 12 of the Lan. 506/2004 as modified and integrated, requires the following:

1. It is prohibited to conduct commercial communications using automated calling and communication systems which do not require the intervention of a human operator, by fax or by electronic mail or by any other method using publicly available electronic communications services, unless the subscriber or user concerned has given prior express consent to receive such communications
2. Notwithstanding paragraph 1, where a natural or legal person obtains directly the electronic mail address of a customer when selling a product or service to him, in accordance with the provisions of Law No 677/2001, that natural or legal person may use that address for commercial communications concerning similar products or services that that person markets, provided that it clearly and expressly gives customers the opportunity to object by a simple means free of charge to such use, both in obtaining the e-mail address and in each message, if the customer did not initially oppose it.
3. in all cases it is prohibited to make by electronic mail commercial communications in which the real identity of the person in whose name and on whose behalf they are made is hidden, in breach of Article 5 of Law No 365/2002, republished, Or where a valid address is not specified to which the addressee may submit his request for the cessation of such communications, or where the recipients are encouraged to visit websites contrary to Article 5 of the republished Law No 365/2002.
4. The provisions of paragraphs 1 and 3 shall also apply accordingly to subscribers who are legal persons.`

Furthermore, Article V(2) of Law No 129/2018 provides that “all references to Law No 677/2001, as amended and supplemented, in the regulatory acts shall be read as references to the General data Protection Regulation and the legislation implementing it”.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA ROMANIA