ANSPDCP (Romania) - Fine against Global Ports’s Services S.R.L.
ANSPDCP - Fine against Global Ports’s Services S.R.L. | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 12 GDPR Article 14 GDPR Art. 5(1)(e) Lege nr. 190/2018 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 02.10.2024 |
Fine: | 9,947.60 RON |
Parties: | Global Ports’s Services S.R.L. |
National Case Number/Name: | Fine against Global Ports’s Services S.R.L. |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | fb |
The DPA fined a controller RON 9,947.60 (€2,000) after it installed GPS devices in its company cars without prior notification of its employees. The DPA found that the purpose of recording the employees' working time could be reached through less intrusive methods.
English Summary
Facts
The controller installed a GPS monitoring system in a company car. According to the controller, the purpose of this installation was the necessity of keeping track of the working time of employees. Data subjects were not informed about the existence of such a tracking device.
The data subject, an employee, filed a complaint with the DPA.
Holding
First, the DPA found that this processing activity lacked of legal basis. More specifically, the DPA pointed out that the controller had not proven that it had previously used other less intrusive methods to achieve the purpose of the processing. Therefore, it found a violation of Article 5(1)(a), 5(1)(c), 5(2) and 6 GDPR.
Secondly, the DPA noted that the controller did not provide data subject with the information set by Article 14 GDPR. Therefore, it found a violation of this article in combination with Article 12 GDPR.
Finally, the DPA pointed out that the controller had stored the data for a period of 6 months, which exceeds the period of 30 days set by Article 5(1)(e) of the national law implementing GDPR (Lege nr. 190/2018). Therefore, it found a violation of Article 5(1)(e) GDPR.
On these grounds, it fined the controller RON 9,947.60 (€2,000).
Comment
This summary is based on a press release. The Romanian DPA does not publish full decisions.
The Romanian law implementing GDPR (Law no. 190/2018) has introduced supplementary conditions for processing of personal data in an employment context. More specifically, Art. 5 of that law provides "In cases where workplace monitoring systems through electronic communications and/or video surveillance measures are used, the processing of the personal data of employees, for the purpose of pursuing the legitimate interests of the employer, is permitted only if: (...) d) Other less intrusive forms and means for reaching the aim pursued by the employer did not prove to be efficient; (...)"
In other words, the DPA does not have to even analyse whether the processing could be performed through less intrusive means, and the controller cannot even claim that it couldn't, if they have not already actually implemented other means first. There are no known situations when a controller performed a legitimate interest assessment showing less intrusive means are not sufficient and thus chose the more intrusive ones directly, but it is not impossible that the DPA would reject that based on the literal reading of the law.
It is worth noting that even though this supplementary condition plays a significant role, the press release for this decision only mentions breaches of GDPR provisions as a basis.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
02.10.2024 Sanctions for non-compliance with the GDPR The National Supervisory Authority for the Processing of Personal Data completed, in September 2024, an investigation at the operator Global Ports's Services S.R.L. and found several violations of the provisions of Regulation (EU) 2016/679 (GDPR), by reference to art. 85 para. (5) lit. a) from the same normative act, as follows: a) art. 5 para. (1) lit. a), c) and (2) and art. 6 of the GDPR b) art. 12-14 of the GDPR c) art. 5 para. (1) lit. e) and (2) of the GDPR As such, the operator was penalized with: a) fine in the amount of 9,947.6 lei, the equivalent of 2,000 euros, for the violation of art. 5 para. (1) lit. a), c) and (2) and art. 6 of the GDPR, b) warning for violation of 12-14 of the GDPR; c) warning for violation of art. 5 para. (1) lit. e) and (2) of the GDPR The National Supervisory Authority started an investigation following the receipt of several petitions from a concerned person who complained about the use of a GPS monitoring system on a car used during the period in which she was employed by the operator Global Ports's Services S.R.L., without having was informed of its existence. It also emerged from the petitions of the person concerned that, based on a contract concluded by the operator Global Ports's Services S.R.L. with a commercial company, GPS systems were installed both on the rented machinery and on the company car used by the person concerned who, in the meantime, had become an employee of the second company, the data provided by the GPS system being used for the automatic profiling of the person, respectively for his monitoring. During the investigation, it was found that the operator Global Ports's Services SRL: a) processed the data of the data subject, collected through the GPS monitoring system installed on the company car, for a period of 6 months, until January 2024 and continued to process them after the date on which he was no longer an employee of the company , without presenting evidence to show that it previously used other less intrusive methods to achieve the purpose of the processing, mainly related to the preparation of time sheets and monthly attendance, as well as that it clearly established a legal basis for the processing of this data , by reference to the purposes for which the petitioner's data were to be used, thus violating art. 5 para. (1) lit. a), c) and (2) and art. 6 of the GDPR. b) processed the data of the data subject, including through the GPS monitoring system installed on the company car, for a period of 6 months, until January 2024 and continued to process them after the date on which he was no longer an employee of the company, without presenting evidence regarding the transparent and complete information of the data subject in relation to the processing of his data, in accordance with art. 12-14 of the GDPR. c) stored the data that comes from the use of the GPS monitoring system for 6 months, without presenting evidence to show that exceeding the 30-day period provided by art. 5 of Law no. 190/2018 is based on justified reasons, thus violating art. 5 para. (1) lit. e) and (2) of Regulation (EU) 2016/679. At the same time, pursuant to art. 58 para. (2) lit. d) from Regulation (EU) 2016/679, the following corrective measures were ordered: a) to ensure compliance with the GDPR of the collection and subsequent processing of personal data, in the sense of reassessing the need to achieve the proposed goals by using the data from the use of the GPS monitoring system installed on the service cars of the operator's employees, by referring to the obligations provided by Regulation (EU) 2016/679 and Law no. 190/2018; b) to ensure compliance with the GDPR of the collection and subsequent processing of personal data, by transparent, correct and complete information of all data subjects whose personal data are processed by the operator, including the data subject, in accordance with the provisions of art. 12-14 of Regulation (EU) 2016/679; c) to ensure compliance with the GDPR of the collection and subsequent processing of personal data, by limiting the data storage period by reference to the purposes of data processing, according to the obligations provided by Regulation (EU) 2016/679 and Law no. 190/2018. Legal and Communication Department A.N.S.P.D.C.P.