ANSPDCP (Romania) - Fine against Global Ports’s Services S.R.L.

From GDPRhub
Revision as of 13:24, 8 October 2024 by Mba (talk | contribs) (→‎Facts)
ANSPDCP - Fine against Global Ports’s Services S.R.L.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 12 GDPR
Article 14 GDPR
Art. 5(1)(e) Lege nr. 190/2018
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 02.10.2024
Fine: 9,947.60 RON
Parties: Global Ports’s Services S.R.L.
National Case Number/Name: Fine against Global Ports’s Services S.R.L.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: fb

The DPA fined a controller RON 9,947.60 (€2,000) after it installed in its company cars a GPS device tracking its employees without a legal basis.

English Summary

Facts

The controller installed a GPS monitoring system in a company car. According to the controller, the purpose of this installation was the necessity of keeping track of the working time of employees. Data subjects were not informed about the existence of such a tracking device.

The data subject, an employee, filed a complaint with the DPA.

Holding

First, the DPA found that this processing activity lacked of legal basis. More specifically, the DPA pointed out that the controller had not proven that it had previously used other less intrusive methods to achieve the purpose of the processing. Therefore, it found a violation of Article 5(1)(a), 5(1)(c), 5(2) and 6 GDPR.

Secondly, the DPA noted that the controller did not provide data subject with the information set by Article 14 GDPR. Therefore, it found a violation of this article in combination with Article 12 GDPR.

Finally, the DPA pointed out that the controller had stored the data for a period of 6 months, which exceeds the period of 30 days set by Article 5(1)(e) of the national law implementing GDPR (Lege nr. 190/2018). Therefore, it found a violation of Article 5(1)(e) GDPR.

On these grounds, it fined the controller RON 9,947.60 (€2,000).

Comment

This summary is based on a press release. The Romanian DPA does not publish full decisions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

02.10.2024

Sanctions for non-compliance with the GDPR

 

The National Supervisory Authority for the Processing of Personal Data completed, in September 2024, an investigation at the operator Global Ports's Services S.R.L. and found several violations of the provisions of Regulation (EU) 2016/679 (GDPR), by reference to art. 85 para. (5) lit. a) from the same normative act, as follows:

a) art. 5 para. (1) lit. a), c) and (2) and art. 6 of the GDPR

b) art. 12-14 of the GDPR

c) art. 5 para. (1) lit. e) and (2) of the GDPR

As such, the operator was penalized with:

a) fine in the amount of 9,947.6 lei, the equivalent of 2,000 euros, for the violation of art. 5 para. (1) lit. a), c) and (2) and art. 6 of the GDPR,

b) warning for violation of 12-14 of the GDPR;

c) warning for violation of art. 5 para. (1) lit. e) and (2) of the GDPR

The National Supervisory Authority started an investigation following the receipt of several petitions from a concerned person who complained about the use of a GPS monitoring system on a car used during the period in which she was employed by the operator Global Ports's Services S.R.L., without having was informed of its existence.

It also emerged from the petitions of the person concerned that, based on a contract concluded by the operator Global Ports's Services S.R.L. with a commercial company, GPS systems were installed both on the rented machinery and on the company car used by the person concerned who, in the meantime, had become an employee of the second company, the data provided by the GPS system being used for the automatic profiling of the person, respectively for his monitoring.

During the investigation, it was found that the operator Global Ports's Services SRL:

a) processed the data of the data subject, collected through the GPS monitoring system installed on the company car, for a period of 6 months, until January 2024 and continued to process them after the date on which he was no longer an employee of the company , without presenting evidence to show that it previously used other less intrusive methods to achieve the purpose of the processing, mainly related to the preparation of time sheets and monthly attendance, as well as that it clearly established a legal basis for the processing of this data , by reference to the purposes for which the petitioner's data were to be used, thus violating art. 5 para. (1) lit. a), c) and (2) and art. 6 of the GDPR.

b) processed the data of the data subject, including through the GPS monitoring system installed on the company car, for a period of 6 months, until January 2024 and continued to process them after the date on which he was no longer an employee of the company, without presenting evidence regarding the transparent and complete information of the data subject in relation to the processing of his data, in accordance with art. 12-14 of the GDPR.

c) stored the data that comes from the use of the GPS monitoring system for 6 months, without presenting evidence to show that exceeding the 30-day period provided by art. 5 of Law no. 190/2018 is based on justified reasons, thus violating art. 5 para. (1) lit. e) and (2) of Regulation (EU) 2016/679.

At the same time, pursuant to art. 58 para. (2) lit. d) from Regulation (EU) 2016/679, the following corrective measures were ordered:

a) to ensure compliance with the GDPR of the collection and subsequent processing of personal data, in the sense of reassessing the need to achieve the proposed goals by using the data from the use of the GPS monitoring system installed on the service cars of the operator's employees, by referring to the obligations provided by Regulation (EU) 2016/679 and Law no. 190/2018;

b) to ensure compliance with the GDPR of the collection and subsequent processing of personal data, by transparent, correct and complete information of all data subjects whose personal data are processed by the operator, including the data subject, in accordance with the provisions of art. 12-14 of Regulation (EU) 2016/679;

c) to ensure compliance with the GDPR of the collection and subsequent processing of personal data, by limiting the data storage period by reference to the purposes of data processing, according to the obligations provided by Regulation (EU) 2016/679 and Law no. 190/2018.

 

Legal and Communication Department

A.N.S.P.D.C.P.