ANSPDCP (Romania) - Meedea Construct Prest SRL
| ANSPDCP - Meedea Construct Prest SRL | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(f) GDPR Article 5(2) GDPR Article 6 GDPR Article 9 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 17.02.2025 |
| Fine: | 9,949 RON |
| Parties: | Meedea Construct Prest SRL |
| National Case Number/Name: | Meedea Construct Prest SRL |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO) |
| Initial Contributor: | elu |
The DPA fined a construction company RON 9,949 (€2,000) due to the unlawful sharing of an ex-employee’s data to a third party. This data was later used in court litigation by the third party.
English Summary
Facts
A former employee, the data subject, advanced a complaint before the DPA against a construction company, their former employer, the controller.
The controller allegedly shared with a third party data related to their employment. Among these, there were: copies of the individual employment contract, the work aptitude sheet, and a medical certificate.
Subsequently, this data was later used in court litigation by the third party.
Holding
The DPA held that the controller shared this data unlawfully with the third party. The entirety of data processed included: name, surname, address, serial number and ID, personal numerical code, position/job/occupation, signature, date birth, home address, medical condition, signature and doctor’s initial.
The controller violated Article 5(1)(a), (b) and (f) GDPR due to the violation of the principles of lawfulness, fairness and transparency, as well the principles of purpose limitation and integrity and confidentiality. Moreover, the DPA found that the controller failed to fulfil its duties under the accountability principle, Article 5(2) GDPR. Moreover, the controller violated Article 6 GDPR and Article 9 GDPR due to the unlawful disclosure of personal and sensitive data, among which medical condition.
Therefore, the DPA deemed it appropriate to fine the controller RON 9,949.6 (€2,000).
Additionally, the DPA recommended the controller to take the following actions:
- Ensure GDPR compliance in relation to the subsequent processing of personal data collection and processing, so as to avoid accessing and disclosing personal data processed in violation of the principles of lawfulness;
- Apply appropriate security and confidentiality measures.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
17.02.2025 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed an investigation in January 2025 at the operator Meedea Construct Prest SRL and found a violation of the provisions of art. 5 para. (1) letters a), b) and f) and para. (2) in conjunction with art. 6 and 9 of Regulation (EU) 2016/679. As such, the operator was sanctioned: with a fine in the amount of 9,949.6 lei (the equivalent of 2,000 euros). The investigation was initiated following a complaint from a natural person, who claimed that the operator Meedea Construct Prest SRL (former employer) disclosed to another third party documents related to his employment (copy of the individual employment contract, skills sheet, a medical certificate) and that the third party used them in a court dispute. During the investigation, it was found that the operator Meedea Construct Prest SRL disclosed, without complying with the legal conditions, personal and health data belonging to the petitioner (former employee), such as: name, surname, address, series and number of the identity document, personal numerical code, position/job/occupation, signature, date of birth, home address, medical conditions, doctor's signature and initials. In this context, the provisions of art. 5 para. (1) letters a), b) and f) and para. (2), art. 6 and 9 of the GDPR, regarding the principles and lawfulness of the processing of personal data, the operator being sanctioned with a fine. At the same time, pursuant to the provisions of art. 58 para. (2) letter b) of Regulation (EU) 2016/679, the corrective measure was ordered against the operator to ensure compliance with the GDPR of the collection and subsequent processing of personal data, so as to avoid accessing and disclosing personal data processed in violation of the principles and conditions of lawfulness; in this regard, the application of appropriate security and confidentiality measures will also be considered, by establishing written procedures and regular training of persons who process data under the authority of the operator. Legal and Communication Department A.N.S.P.D.C.P
