IKEA ROMÂNIA SA – €1,000 Fine (Romania, 2021)

The controller IKEA Romania organised a drawing contest for the children of 'IKEA Family' members. To join the contest, the legal guardians of the children had to upload the drawings, their consent, and participation forms. These forms included their own personal data (name, surname, city, country, email, IKEA membership number, and handwritten signature), and their children's personal data (name, surname, and age). The drawings were then published on the online platform, to vote for the contest winner. However, in doing so, IKEA also erroneously published the participation forms, which included the personal data of the participants (children and their legal guardians). This data breach was then notified to the Romanian DPA. The DPA started an investigation and found that the personal data of 114 data subjects (out of which half were minors) was erroneously published and left available online for 40 hours on the dedicated platform for 'IKEA Family' members. Hence, this affected the confidentiality of the personal data, in breach of Article 32(1)(b) GDPR and Article 32(2) GDPR. The DPA emphasised, referring to recital 38, that children need specific protection of their personal data, and fined IKEA Romania for approx €1,000 (RON 4948.8).