The National Supervisory Authority for Personal Data Processing completed, in January 2025, an investigation at the operator SHOPBAG GROUP ONLINE SRL and found a violation of the provisions of art. 83 para. (5) let. e) of Regulation (EU) 2016/679.
As such, the operator was fined 9,949.8 lei (the equivalent of 2,000 euros).
The investigation was initiated following a complaint from an individual who claimed that he had not received a response to his requests to delete his account and the data associated with it from the website depozit-online.ro, owned by the operator.
During the investigation, it was found that the petitioner wanted to delete his account created on the operator's website depozit-online.ro, but the operator did not respond to his request.
Also, the operator did not respond to requests made by the National Supervisory Authority for Personal Data Processing in the exercise of its investigative powers.
Thus, given that the operator did not provide the information that the National Supervisory Authority requested in order to fulfill its tasks, the operator was sanctioned with a minor offence fine, for violating the provisions of art. 83 para. (5) let. e) of Regulation (EU) 679/2016.
“ Art. 83 General conditions for imposing administrative fines
(….) (5) For infringements of the following provisions, in accordance with paragraph (2), administrative fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is the higher, shall apply:
(a) the basic principles for processing, including the conditions for consent, in accordance with Articles 5 , 6 , 7 and 9 ;
(b) the rights of data subjects in accordance with Articles 12 to 22 ;
(c) transfers of personal data to a recipient in a third country or an international organisation, in accordance with Articles 44 to 49 ;
(d) any obligations under national legislation adopted pursuant to Chapter IX;
(e) failure to comply with an order or a temporary or permanent limitation of processing, or the suspension of data flows, issued by the supervisory authority pursuant to Article 58 (2) , or failure to grant access, in breach of Article 58 (1) . (….)”
At the same time, the operator was ordered to take the corrective measure of communicating to ANSPDCP all the information and documents requested through the addresses that were communicated to it.
https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_06_03_2025&lang=ro