ANSPDCP (Romania) - Asociația de Proprietari Aviației Park
| ANSPDCP - Asociația de Proprietari Aviației Park | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(2) GDPR Article 58(2)(d) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 27.05.2022 |
| Published: | 20.06.2022 |
| Fine: | 7000 EUR |
| Parties: | n/a |
| National Case Number/Name: | Asociația de Proprietari Aviației Park |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | Daniela Duta |
The Romanian DPA fined a controller €7,000 after excessively collecting and processing personal data for the purpose of people access in the residential complex.
English Summary
Facts
The Romanian DPA fined a controller €7,000 after excessively collecting and processing personal data for the purpose of people access in the residential complex, in the sense that the security company requested a series of data from the people who entered the complex and wrote them down in a internal register.
Holding
The Romanian DPA found that the controller - has excessively processed the personal data (first name, surname, ID series and number, destination, time of arrival, time of departure, comments) of the deliverers and/or couriers as data subjects, without a legal basis justified in relation to the purpose of the processing (access control in the residential complex) and without presenting evidence that it ensures the correct and complete information of the data subjects, as well as that the processed data are adequate, relevant and limited to what is necessary in relation to the purpose of the processing; - did not establish a storage period for the personal data processed through the video surveillance system (images) and stored them for a period longer than that necessary to fulfill the purpose for which they are processed, i.e. controlling access to the condominium.
In addition, the DPA ordered the controller to: - Reviewing and updating the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the procedures related to the protection of personal data and the establishment of deadlines for the retention of data in a form that allows the identification of the data subjects for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed. - Evaluation of the processing carried out taking into account the principle of proportionality and the reduction of data to a minimum relative to the purpose and legal basis of the processing and the implementation of the necessary measures in order to comply with the principles related to the processing of personal data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
The National Supervisory Authority completed, on 27.05.2022, an investigation at the operator Asociatia de Proprietari Aviației Park, as a result of which a violation of the provisions of the General Data Protection Regulation (RGPD) was found, with the operator being penalized for contravention with a fine as follows:
fine in the amount of 9,885.80 lei, the equivalent of 2000 EUROS for violating the provisions of art. 5 para. (1) lit. a) and c) and para. (2) by reference to art. 6 of the RGPD, since the operator has excessively processed the personal data (name, surname, ID series and number, destination, time of arrival, time of departure, comments) of the deliverers and/or couriers as data subjects, without a justified legal basis related to the purpose of the processing (access control in the residential complex) and without presenting evidence that it ensures the correct and complete information of the data subjects, as well as that the processed data is adequate, relevant and limited to what is necessary in relation to the purpose of the processing;
fine in the amount of 24,714.50 lei, the equivalent of 5000 EURO, for violating the provisions of art. 5 para. (1) lit. e) and para. (2) of the GDPR, because the operator did not establish a storage period for the personal data processed through the video surveillance system (images) and stored them for a period longer than that necessary to fulfill the purpose for which they are processed, respectively the control of access to the condominium, although it had the obligation to keep the images in a form that allows the identification of the persons concerned for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed.
At the same time, pursuant to art. 58 para. (2) lit. d) from the RGPD, the following corrective measures were ordered against the operator:
Reviewing and updating the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the procedures related to the protection of personal data and the establishment of deadlines for the retention of data in a form that allows the identification of the data subjects for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed.
The evaluation of the processing carried out taking into account the principle of proportionality and the reduction of data to a minimum relative to the purpose and legal basis of the processing and the implementation of the necessary measures in order to comply with the principles related to the processing of personal data provided by art. 5 of the GDPR.
The investigation was started as a result of a notification, which signaled a possible violation of the provisions of the RGPD, as the representatives of the security company were collecting and processing personal data for the purpose of accessing people at the entrance to the residential complex, meaning that they requested a series of given to people entering the complex and writing them down in an internal register.
The investigation showed that data processing for the purpose of access to the residential complex was carried out according to a contract for security services concluded between the owners' association (the operator) and the security company (the proxy), through which the association mandated the security company to ensure the guarding and protection of the objective by security guards and to complete the record book of access of persons. In this sense, the operator has issued to the authorized person the instruction according to which the agents performing security services complete the Personal Access Record Register with the personal data mentioned in its columns, namely name, surname, series and no. identity document, destination, arrival time, departure time, comments, exclusively for delivery and/or courier services.
At the same time, during the investigation, it was found that at the level of the residential complex, access control was also carried out through the video surveillance system, and the owners' association could not prove compliance with the principle of limitation related to storage, established by art. 5 para. (1) lit. e) of the RGPD, namely the establishment of appropriate storage terms for images, noting the existence of stored images approximately one and a half years old.
In this context, we emphasize that according to art. 4 point 7 of the GDPR, the operator establishes the purpose and means of processing, and according to art. 28 para. (3) lit. a) from the RGPD, the authorized person processes the data only on the basis of documented instructions from the operator.
We also remind you that according to art. 5 of the RGPD, the operator must comply with the principles of data processing, including those regarding "legality, fairness and transparency", "data minimization" and "storage limitation". At the same time, the operator is responsible for complying with the principles and must demonstrate this compliance ("responsibility principle").
