ANSPDCP (Romania) - Fine against Asociația de Proprietari Aviației Park

From GDPRhub
ANSPDCP - Fine against Asociația de Proprietari Aviației Park
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 5(2) GDPR
Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 27.05.2022
Published: 20.06.2022
Fine: 7000 EUR
Parties: n/a
National Case Number/Name: Fine against Asociația de Proprietari Aviației Park
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a building owners association €7000 for keeping an extensive register of couriers entering the residential complex and for keeping video surveillance footage of the entrance longer than necessary for security purposes.

English Summary

Facts

The controller is a building owners association which mandated a security company to ensure security and protection of their buildings (processor). The data subjects were couriers accessing the building complex of the controller. The investigation of the ANSPDCP (Romania), which was initiated upon a complaint, revealed that the processor was collecting a big amount of personal data of the couriers on behalf of the controller. The processor was instructed by the controller to keep an access register of couriers entering the residential complex and note the following information there: name, surname, number of the ID card, destination, time of arrival, time of departure, observations. The DPA further found in its investigation that a video surveillance system was installed at the entrance of the building complex to monitor who is entering the complex and that the video footage captured by this surveillance system was stored longer than necessary.

Holding

The Romanian DPA fined the controller €7000 for violating Article 5(1)(a), (c), (e), (2) GDPR and Article 6 GDPR by processing the personal data without a legal basis, by violating the principles of data minimisation and storage limitation. €2,000 (RON 9,885.80) of the fine was for the violation of Article 5(1)(a), (c) (2) GDPR and Article 6 GDPR by keeping the access register and €5,000 (RON 24,714.50) for the violation of Article 5(1)(e), (2) GDPR by storing the video footage longer than necessary for the purpose of monitoring the access to the complex.

Additionally, the DPA ordered the controller under Article 58(2)(d) GDPR to bring is processing into compliance with the GDPR by:

  1. reviewing and updating the technical and organisational measures on the basis of a risk assessement, especially establishing a deadline after which collected data is anonymised and which is in accordance with the storage limitation principle.
  2. evaluating the processing carried out to implement the necessary measures to comply with the principles of Article 5 GDPR.

Comment

This fine was among the highest imposed by the Romanian DPA.

The Romanian DPA publishes only press releases, therefore no more information was available on the decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

20.06.2022

Sanction for violating the RGPD



The National Supervisory Authority completed, on 27.05.2022, an investigation at the operator of the Park Aviation Owners Association, following which the violation of the provisions of the General Data Protection Regulation (RGPD) was found, the operator being sanctioned with a fine as follows:

fine in the amount of 9,885.80 lei, the equivalent of 2000 EURO for violating the provisions of art. 5 para. (1) lit. a) and c) and par. (2) by reference to art. 6 of the RGPD, as the controller has excessively processed the personal data (name, surname, series and number of the identity document, destination, time of arrival, time of departure, observations) of the deliverers and / or couriers as data subjects, without a justified legal basis related to the purpose of the processing (control of access to the residential complex) and without providing evidence that it provides accurate and complete information to the data subjects, and that the data processed are adequate, relevant and limited to what is necessary in relation to purpose of processing; fine in the amount of 24,714.50 lei, the equivalent of 5000 EURO for violating the provisions of art. 5 para. (1) lit. e) and para. (2) of the RGPD, because the operator has not established a period of storage of personal data processed through the video surveillance system (images) and stored them for a longer period than necessary to fulfill the purpose for which they are processed, respectively the control of the access in the condominium, although it had the obligation to keep the images in a form that would allow the identification of the data subjects for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed.

At the same time, pursuant to art. 58 para. (2) lit. d) of the RGPD, the following corrective measures were ordered against the operator:

Review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the procedures for the protection of personal data and the establishment of deadlines for keeping data in a form that allows the identification of data subjects for a period does not exceed the time required to fulfill the purposes for which the data are processed. Evaluation of the processing performed taking into account the principle of proportionality and minimization of data related to the purpose and legal basis of the processing and implementation of the necessary measures to comply with the principles related to the processing of personal data provided by art. 5 of the RGPD.

The investigation was initiated following a complaint alleging a possible breach of the provisions of the RGPD, as the representatives of the security company collected and processed personal data for the purpose of accessing persons at the entrance to the residential complex, meaning that they requested a series of data to persons entering the complex and noting them in an internal register.

The investigation revealed that the processing of data for access to the residential complex was carried out under a security contract concluded between the owners' association (operator) and the security company (proxy), by which the association mandated the security company to ensure security and protection of the target by security guards and complete the register of access to persons. In this regard, the operator issued for the power of attorney the instruction according to which the agencies performing the security services complete the Register of Access to Persons with the personal data mentioned in its fields, respectively name, surname, series and no. identity card, destination, time of arrival, time of departure, remarks, exclusively for delivery and / or courier services.

At the same time, during the investigation it was found that at the level of the residential complex the access control was performed through the video surveillance system, and the Owners Association could not prove compliance with the principle of storage limitation, established by art. 5 para. (1) lit. e) of the RGPD, respectively the establishment of adequate image storage deadlines, finding the existence of stored images with an age of approximately one and a half years.

In this context, we emphasize that according to art. 4 point 7 of the RGPD, the operator establishes the purpose and the means of processing, and according to art. 28 para. (3) lit. a) of the RGPD the proxy processes the data only on the basis of documented instructions from the operator.

We also remind you that according to art. 5 of the RGPD, the operator must comply with the principles of data processing, including those on “legality, fairness and transparency”, “data minimization” and “storage limitation”. At the same time, the operator is responsible for compliance with the principles and must demonstrate this compliance ("liability principle").



Legal and Communication Department

A.N.S.P.D.C.P.