ANSPDCP (Romania) - 23.08.2023
| ANSPDCP - 23.08.2023 | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 5 GDPR Article 6 GDPR Article 9 GDPR Article 17 GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 23.09.2023 |
| Published: | 25.08.2023 |
| Fine: | 10,000 RON |
| Parties: | n/a |
| National Case Number/Name: | 23.08.2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (Romania) (in RO) |
| Initial Contributor: | n/a |
The Romanian DPA investigated controller BODY LINE SRL and found that it had violated Articles 5, 6, 9, 17, 32(1) and 32(2) GDPR, because an employee of the company had posted a video of the data subject on social media from the company's surveillance system. As a result, the controller was fined a total of 49,322 RON (equivalent to €10,000).
English Summary
Facts
The investigation was initiated following a complaint which alleged that the controller disclosed the data subject’s personal data (controller’s customer) by posting an audio-video recording from its surveillance system on the controller’s social media pages. The investigation confirmed the allegations. An employee at BODY LINE SRL disseminated the data subject’s data on its social media pages by posting an audio-video recording of the data subject and posting the data subject’s nickname, which revealed the data subject’s the ethnic origin. The data subject made an erasure request under Article 17 GDPR but this was ignored.
Holding
The Romanian DPA found a violation of Articles 5,6, and 9 GDPR, Article 17 GDPR and Article 32(2)(b) GDPR.
Firstly, posting the videos and nickname was a violation of Articles 5, 6 and 9 GDPR, as the controller had no lawful basis to process the data under Article 6 GDPR, and violated the principles of processing under Article 5 GDPR (lawfulness, fairness, transparency). Moreover, there was a violation of Article 9 as the data revealed the data subject’s ethnic origin. Article 9 GDPR prohibits the processing of ‘special categories’ of personal data, unless certain exceptions apply. Data revealing ethnic origin falls within the scope of Article 9 GDPR, and in this case the exceptions did not apply, so the processing was unlawful.
Secondly, the controller did not comply with the complainant's request to delete the data, which constituted a breach of Article 17 GDPR.
Thirdly, the Romanian DPA found that the controller did not adopt sufficient appropriate technical and organisational measures to ensure the confidentiality of the personal data processed through the audio-video surveillance system, as required by Article 32 GDPR. The lack of appropriate internal measures led to an employee of the controller accessing and posting the data subject’s personal data on social media, which amounted to an infringement of Article 32(2)(b) GDPR.
As a result, the controller was fined a total of 49,322 RON, equivalent to €10,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
23.08.2023 Fine for GDPR violation In July 2023, the National Supervisory Authority for the Processing of Personal Data completed an investigation at the BODY LINE SRL operator and found that it had violated the provisions of art. 5, 6, 9, 17 and art. 32 para. (1) and (2) of Regulation (EU) 2016/679 (GDPR). The operator was penalized for contravention with fines in the total amount of 49,322 lei, the equivalent of 10,000 EURO. The investigation was started as a result of a complaint that the operator disclosed the personal data of a petitioner (customer of the operator) by posting an audio-video recording on the operator's social media pages. During the investigation carried out, the National Supervisory Authority found that BODY LINE SRL, through its social media pages, disseminated the petitioner's data from the audio-video recording and used in the comments an appellation that revealed his ethnic origin, without having any legal basis , thus violating the provisions of art. 5, 6 and 9 of Regulation (EU) 2016/679. It was also found that the operator did not comply with the request of the petitioner to delete the data in violation of the provisions of art. 17 of Regulation (EU) 2016/679. At the same time, it was found that the operator did not adopt sufficient appropriate technical and organizational measures to ensure the confidentiality of personal data processed through the audio-video surveillance system. This situation led to the access and, subsequently, to the dissemination on the operator's social media pages of an audio-video recording with images of the petitioner, thus violating the provisions of art. 32 para. (1) and (2) of Regulation (EU) 2016/679. At the same time, the following corrective measures were applied to the BODY LINE SRL operator: - to ensure compliance with the GDPR of personal data processing operations, including by drawing up written procedures, so that the personal data of the persons concerned are processed in strict compliance with the legal provisions on the protection of personal data, by avoiding the collection and/or disclosure illegal/excessive/unauthorized use of their personal data; - to comply with the request to delete the personal data of the petitioner, related to the posts on the social media pages of the operator; - to ensure compliance with the GDPR of personal data processing operations, by implementing appropriate technical and organizational measures, especially in the aspect of training the persons who process data under its authority (employees or collaborators), by regularly organizing training sessions with these, in relation to their obligations regarding the processing of personal data through the video surveillance system, establishing the conditions under which images or audio-video recordings can be accessed by a small number of people, based on individual credentials, of periodic verification of access to image records, as well as rapid detection, management and reporting of personal data security breaches. A.N.S.P.D.C.P.
