ANSPDCP (Romania) - 25.09.2023

From GDPRhub
ANSPDCP - 25.09.2023
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 13 GDPR
Article 14 GDPR
Article 32 GDPR
14 (5) (e) Law 190/2018
Type: Investigation
Outcome: Violation Found
Fine: 2000 EUR
Parties: n/a
National Case Number/Name: 25.09.2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: Silvia Axinescu

The City Hall of Albeni was fined 10,000 RON (equivalent to €2000) for failing to comply with remediation measures ordered by the Romanian DPA following a remediation plan, as well as for failing to inform data subjects of their rights under GDPR, and for failing to adopt adequate technical and organisational measures in relation to the CCTV system implemented by the City Hall. The DPA found a violation of Articles 13, 14 and 32 GDPR.

English Summary


The controller, the City Hall of Albeni (Gorj county, Romania) had implemented a CCTV system through which all employees of the City Hall were monitored and screened by the City Hall Mayor. The Romanian DPA opened an investigation following a complaint concerning the CCTV system.

During the investigation, it was found that the controller had failed to comply with previous measures imposed by the DPA during the course of its investigation. As a result, the DPA found violations of Articles 13, 14 and 32 GDPR.

In accordance with the provisions of Law 190/2013, in response to GDPR breaches committed by public authorities (such as the case of the City Hall), the Romanian DPA must first issue a record of findings and penalties with respect to the breach, as well as a warning, and submit a remediation plan (entailing correspondent measures and a deadline for remediation). Following the expiry of the remediation term, the Romanian DPA may resume the investigation to verify the fulfillment of the remediation measures imposed. In the current case, the Romanian DPA had submitted a remediation plan to the controller during the course of their investigation.


Following the expiry of the remediation term, it was found that the controller had failed to demonstrate that they had informed their employees (the data subjects) of their rights under the GDPR and failed to adopt the appropriate technical and organisational measures to ensure secure processing through the CCTV video system. Consequently, the DPA found a breach of Articles 13 and 14 GDPR, and of Article 32 GDPR, and as a result, fined the controller 10,000 RON (equivalent to €2000).

The Romanian DPA imposed corrective measures, ordering the followings:

  • To comply with all of the requests of the Romanian DPA, as ordered through the remediation plan;
  • To implement appropriate technical and organisational measures with respect to the protection of personal data processed through the video surveillance system of the City Hall of Albeni;
  • To inform the Romanian DPA of the procedures adopted in relation to the employees who had access to CCTV system;
  • To take the necessary measures to inform data subjects of their rights under the GDPR in accordance with Articles 13 and 14 GDPR.


Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.