ANSPDCP (Romania) - 23.03.2023: Difference between revisions

From GDPRhub
No edit summary
(changed data controller to controller, shortened a bit, moved a few details from the facts to the holding. No change on the content :))
Line 76: Line 76:


=== Facts ===
=== Facts ===
The data controller installed a GPS tracker on a company car.
The controller installed a GPS tracker on a company car.


The data subject, namely the employee using that company car, filed a complaint with the Romanian DPA, indicating that the data controller processes its personal data collected through the GPS tracker, without providing the data subject with information in respect to the existence of the GPS tracker, processing purposes, applicable legal grounds, and retention periods. Also, the data subject complained that the personal data collected through the GPS tracker were also processed for other purposes, besides monitoring the company car.
The data subject, namely the employee using that company car, filed a complaint with the Romanian DPA, indicating that he was not aware of the existence of the GPS tracker and that the controller did not inform him about the processing purposes, applicable legal grounds, and retention periods. Also, the data subject stated that the personal data collected through the GPS tracker were not only processed for the purpose of monitoring the company car.  
The Romanian DPA started an investigation on such matters.  


The investigation revealed that the data controller processed the personal data collected through the GPS tracker, without providing the data subject with complete information in relation to such processing activities.  
Following this complaint, the Romanian DPA started an investigation. It revealed that the data controller processed the personal data collected through the GPS tracker, without providing the data subject with complete information in relation to such processing activities. Also, it was found that the controller processed the data for various purposes and that it collected location data outside of working hours. 


Also, it was found that the data controller processed such personal data for other purposes, besides the one for which such were initially collected.  
The investigation also showed that the controller stored the data after the expiration of 30-day storage period, provided by [https://www.dataprotection.ro/?page=legislatie_primara&lang=ro Article 5 of Law No. 190/2018], without being able to prove that exceeding the 30-day period is based on justified reasons, as required under the law.


Moreover, during the investigation, it was found that the data controller excessively processed (outside working hours) the location data of the data subject, without being able to demonstrate that it has previously exhausted other less intrusive means to achieve the envisaged processing purposes.  
=== Holding ===
The DPA found that the controller was processing data without providing complete and correct information and in an excessive way (outside the working hours), without being able to demonstrate that it has previously exhausted other less intrusive means. The controller thus violated [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 5 GDPR|5(1)(c)]], [[Article 5 GDPR#1e|5(1)(e)]] and [[Article 5 GDPR#2|5(2)]] and [[Article 6 GDPR]]. For such, the DPA imposed a fine in the amount of RON 14,697.9 (approximately €3,000).  


At the same time, it was found that data controller stored the data from the above-mentioned system, after the expiration of 30-day storage period, provided by Article 5 of Law No. 190/2018 (https://www.dataprotection.ro/?page=legislatie_primara&lang=ro), without being able to prove that exceeding the 30-day period is based on justified reasons, as required under the law.
=== Holding ===
The DPA found that by processing the data subject's personal data without providing complete and correct information and in an excessive way (outside the working hours), the data controller violated the provisions of [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Ar-ticle 5 GDPR#1c|Article 5(1)(c)]], [[Article 5 GDPR#1e|Article 5(1)(e)]] and [[Article 5 GDPR#2|Article 5(2)]] and [[Article 6 GDPR]]. For such, the DPA imposed a fine in the amount of RON 14,697.9 (approximately €3000).
Moreover, the DPA found that by exceeding the 30-day term for retaining the personal data collected through the GPS tracker, without any justified reasons in this respect, the data controller violated the provisions of [[Article 5 GDPR#1e|Article 5(1)(e)]] and [[Article 5 GDPR#2|Article 5(2) GDPR]]. For such, the DPA imposed a fine in the amount of RON 9,798.6 (approximately €2000).
Moreover, the DPA found that by exceeding the 30-day term for retaining the personal data collected through the GPS tracker, without any justified reasons in this respect, the data controller violated the provisions of [[Article 5 GDPR#1e|Article 5(1)(e)]] and [[Article 5 GDPR#2|Article 5(2) GDPR]]. For such, the DPA imposed a fine in the amount of RON 9,798.6 (approximately €2000).


In accordance with [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA also imposed corrective measures.  
In accordance with [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA also imposed corrective measures.  


First, the DPA ordered the data controller to ensure compliance with the GDPR of the operations of collection and further processing of personal data, by reassessing the need to achieve the processing purposes by using the location data from the GPS tracker installed on company cars used by the data controller's employees and avoiding excessive collection of the data, by reference to the requirements regulated under GDPR and Law No. 190/2018 (https://www.dataprotection.ro/?page=legislatie_primara&lang=ro).
First, the DPA ordered the data controller to reassess the use of location data from the GPS tracker to achieve the purposes of the processing and to avoid excessive collection of data.  


Second, the DPA ordered the data controller to ensure compliance with the GDPR of the operations of collection and further processing of personal data, by limiting the data storage period by reference to the purposes of data processing, in accordance with the requirements regulated under GDPR and Law No. 190/2018 (https://www.dataprotection.ro/?page=legislatie_primara&lang=ro).
Second, the DPA ordered the controller to limit the data storage period by reference to the purposes of data processing.


== Comment ==
== Comment ==

Revision as of 08:13, 4 April 2023

ANSPDCP - 23.03.2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 5 Law No. 190/2018
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 23.03.2023
Fine: 5000 EUR
Parties: Technoplus Industry SRL
National Case Number/Name: 23.03.2023
European Case Law Identifier: N/A
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Marta.Tudor

The Romanian DPA fined Tehnoplus Industry SRL a total of €5000 for various violations of Article 5 and 6 GDPR in relation to the processing activities perfomed through the GPS tracker installed on company cars.

English Summary

Facts

The controller installed a GPS tracker on a company car.

The data subject, namely the employee using that company car, filed a complaint with the Romanian DPA, indicating that he was not aware of the existence of the GPS tracker and that the controller did not inform him about the processing purposes, applicable legal grounds, and retention periods. Also, the data subject stated that the personal data collected through the GPS tracker were not only processed for the purpose of monitoring the company car.

Following this complaint, the Romanian DPA started an investigation. It revealed that the data controller processed the personal data collected through the GPS tracker, without providing the data subject with complete information in relation to such processing activities. Also, it was found that the controller processed the data for various purposes and that it collected location data outside of working hours.

The investigation also showed that the controller stored the data after the expiration of 30-day storage period, provided by Article 5 of Law No. 190/2018, without being able to prove that exceeding the 30-day period is based on justified reasons, as required under the law.

Holding

The DPA found that the controller was processing data without providing complete and correct information and in an excessive way (outside the working hours), without being able to demonstrate that it has previously exhausted other less intrusive means. The controller thus violated Article 5(1)(a), 5(1)(c), 5(1)(e) and 5(2) and Article 6 GDPR. For such, the DPA imposed a fine in the amount of RON 14,697.9 (approximately €3,000).

Moreover, the DPA found that by exceeding the 30-day term for retaining the personal data collected through the GPS tracker, without any justified reasons in this respect, the data controller violated the provisions of Article 5(1)(e) and Article 5(2) GDPR. For such, the DPA imposed a fine in the amount of RON 9,798.6 (approximately €2000).

In accordance with Article 58(2)(d) GDPR, the DPA also imposed corrective measures.

First, the DPA ordered the data controller to reassess the use of location data from the GPS tracker to achieve the purposes of the processing and to avoid excessive collection of data.

Second, the DPA ordered the controller to limit the data storage period by reference to the purposes of data processing.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

23.03.2023

Penalty for GDPR violation

In February of the current year, the National Supervisory Authority completed an investigation at the operator Tehnoplus Industry SRL in which it found a violation of the provisions of art. 5 para. (1) lit. a), c), e) and para. (2), as well as of art. 6 of the General Data Protection Regulation (RGPD).

As such, the company Tehnoplus Industry SRL was sanctioned as follows:

fine in the amount of 14,697.9 lei, the equivalent of 3,000 EURO for violating the provisions of art. 5 para. (1) lit. a), c), e) and para. (2) and art. 6 of the GDPR; fine in the amount of 9,798.6 lei, the equivalent of 2,000 EURO for violating the provisions of art. 5 para. (1) lit. e) and para. (2) of the GDPR.

The investigation was carried out as a result of a complaint claiming that the operator processed the personal data of the petitioner through the GPS system installed on his company car, without having been informed about the monitoring of the vehicle, the purpose and the legal basis of of this processing and the duration of storage of the data thus collected.

The petitioner also complained that the information extracted from the GPS system was used by the operator for a purpose other than that of monitoring the service car assigned to him.

During the investigation, it was found that Tehnoplus Industry SRL excessively processed (outside working hours) the location data of the petitioner, an employee of the operator, through the GPS monitoring system installed on his company car, without having demonstrated that previously exhausted other less intrusive methods to achieve the purpose of the processing and without proving the complete information of the petitioner in relation to the data processing through the GPS system, thus violating the provisions of art. 5 para. (1) lit. a), c) and (2) and art. 6 of the GDPR.

At the same time, it was found that the operator stored the data from the above-mentioned system, after the expiration of the storage period, without presenting evidence from which it can be concluded that exceeding the 30-day period provided by art. 5 of Law no. 190/2018 is based on justified reasons, thus violating the provisions of art. 5 para. (1) lit. e) and (2) of the GDPR.

It was also found that the operator used the petitioner's data from the GPS system for a purpose other than the one for which he had originally collected it.

At the same time, pursuant to art. 58 para. (2) lit. d) from the RGPD, have decided against the company Tehnoplus Industry SRL:

- the corrective measure to ensure compliance with the RGPD of the operations of collection and further processing of personal data, by reassessing the need to achieve the proposed goals by using the location data from the GPS monitoring system installed on the service cars of the operator's employees and avoiding excessive collection of the data, by referring to the obligations provided by the RGPD and Law no. 190/2018;

- the corrective measure to ensure compliance with the RGPD of the operations of collection and further processing of personal data, by limiting the data storage period by reference to the purposes of data processing, according to the obligations provided by the RGPD and Law no. 190/2018.

Legal and Communication Department

A.N.S.P.D.C.P.