40.000 euro fine for Emag for failure to comply with GDPR requirements

1. The National Supervisory Authority for Personal Data Processing (NSPSPDPA) has received complaints from three individuals in Hungary against Dante International SA, through the cooperation mechanisms of Regulation (EU) 2016/679.

2. The ANSPDCP has been designated as the lead supervisory authority in this case, as Dante International SA has its main office in Romania.

3. The three complaints concerned various aspects of the processing of personal data by Dante International SA, including the handling of requests for deletion and rectification of personal data.

4. In the first complaint, the lack of adequate training of Dante International SA staff on the procedure for dealing with data subjects’ requests was noted.

5. The second complaint highlighted problems caused by the automatic rejection of requests and incomplete information on the emag.hu website regarding data transfers to third countries.

6. The third complaint concerned the continued processing of an e-mail address, although the data subject had requested its replacement with another address.

7. The ANSPDCP found that Dante International SA breached several provisions of Regulation (EU) 2016/679, including the right to erasure, the obligation to facilitate the exercise of data subjects’ rights and the processing of personal data without consent.

8. Various aspects were taken into account in determining the sanction, including the nature, seriousness and duration of the breach, the negligent nature of the culpability and the types of personal data processed.

9. Dante International SA has been sanctioned with a fine in the amount of 198,440 lei (equivalent to the sum of 40,000 EURO), a warning for various breaches of the provisions of Regulation (EU) 2016/679 and corrective measures.

10 The results of the investigations and the final decision were communicated to the other supervisory authorities, including the Hungarian one, in the framework of an informal consultation procedure based on Article 60 of Regulation (EU) 2016/679.
More details on the ANSPDCP website