ANSPDCP (Romania) - Fine against Asociația de Proprietari Aviației Park: Difference between revisions

Revision as of 08:58, 22 June 2022

ANSPDCP - Fine against Asociația de Proprietari Aviației Park

Authority:	ANSPDCP (Romania)
Jurisdiction:	Romania
Relevant Law:	Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(2) GDPR Article 6 GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	27.05.2022
Published:	20.06.2022
Fine:	7000 EUR
Parties:	n/a
National Case Number/Name:	Fine against Asociația de Proprietari Aviației Park
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Romanian
Original Source:	ANSPDCP (in RO)
Initial Contributor:	Diana Rosu

The Romanian DPA fined a building owners association €7,000 for processing personal data without a legal basis, without properly informing the data subjects and for breaching the data minimisation and storage limitation principles.

English Summary

Facts

The controller is a building owners association which mandated a security company to ensure security and protection of their buildings (processor). The data subjects were couriers accessing the building complex of the controller. The investigation of the ANSPDCP (Romania), which was initiated upon a complaint, revealed that processor was collecting a big amount of personal data of the couriers on behalf of the controller. The processor was instructed by the controller to keep an access register of couriers entering the residential complex and note the following information there: name, surname, number of the ID card, destination, time of arrival, time of departure, observations. The DPA further found in its investigation that a video surveillance system was installed at the entrance of the building complex to monitor who is entering the complex and that the video footage captured by this surveillance system was stored longer than necessary.

Holding

The Romanian DPA fined the controller €7000 for violating Article 5(1)(a), (c), (e), (2) GDPR and Article 6 GDPR by processing the personal data without a legal basis, by violating the principles of data minimisation and storage limitation. €2,000 (RON 9,885.80) of the fine was for the violation of Article 5(1)(a), (c) (2) GDPR and Article 6 GDPR by keeping the access register and €5,000 (RON 24,714.50) for the violation of Article 5(1)(e), (2) GDPR by storing the video footage longer than necessary for the purpose of monitoring the access to the complex.

Additionally, the DPA ordered the controller under Article 58(2)(d) GDPR to bring is processing into compliance with the GDPR by:

reviewing and updating the technical and organisational measures on the basis of a risk assessement, especially establishing a deadline after which collected data is anonymised and which is in accordance with the storage limitation principle.
evaluating the processing carried out to implement the necessary measures to comply with the principles of Article 5 GDPR.

Comment

This fine was among the highest imposed by the Romanian DPA.

The Romanian DPA publishes only press releases, therefore no more information was available on the decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

20.06.2022

Sanction for violating the RGPD

The National Supervisory Authority completed, on 27.05.2022, an investigation at the operator of the Park Aviation Owners Association, following which the violation of the provisions of the General Data Protection Regulation (RGPD) was found, the operator being sanctioned with a fine as follows:

fine in the amount of 9,885.80 lei, the equivalent of 2000 EURO for violating the provisions of art. 5 para. (1) lit. a) and c) and par. (2) by reference to art. 6 of the RGPD, as the controller has excessively processed the personal data (name, surname, series and number of the identity document, destination, time of arrival, time of departure, observations) of the deliverers and / or couriers as data subjects, without a justified legal basis related to the purpose of the processing (control of access to the residential complex) and without providing evidence that it provides accurate and complete information to the data subjects, and that the data processed are adequate, relevant and limited to what is necessary in relation to purpose of processing; fine in the amount of 24,714.50 lei, the equivalent of 5000 EURO for violating the provisions of art. 5 para. (1) lit. e) and para. (2) of the RGPD, because the operator has not established a period of storage of personal data processed through the video surveillance system (images) and stored them for a longer period than necessary to fulfill the purpose for which they are processed, respectively the control of the access in the condominium, although it had the obligation to keep the images in a form that would allow the identification of the data subjects for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed.

At the same time, pursuant to art. 58 para. (2) lit. d) of the RGPD, the following corrective measures were ordered against the operator:

Review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the procedures for the protection of personal data and the establishment of deadlines for keeping data in a form that allows the identification of data subjects for a period does not exceed the time required to fulfill the purposes for which the data are processed. Evaluation of the processing performed taking into account the principle of proportionality and minimization of data related to the purpose and legal basis of the processing and implementation of the necessary measures to comply with the principles related to the processing of personal data provided by art. 5 of the RGPD.

The investigation was initiated following a complaint alleging a possible breach of the provisions of the RGPD, as the representatives of the security company collected and processed personal data for the purpose of accessing persons at the entrance to the residential complex, meaning that they requested a series of data to persons entering the complex and noting them in an internal register.

The investigation revealed that the processing of data for access to the residential complex was carried out under a security contract concluded between the owners' association (operator) and the security company (proxy), by which the association mandated the security company to ensure security and protection of the target by security guards and complete the register of access to persons. In this regard, the operator issued for the power of attorney the instruction according to which the agencies performing the security services complete the Register of Access to Persons with the personal data mentioned in its fields, respectively name, surname, series and no. identity card, destination, time of arrival, time of departure, remarks, exclusively for delivery and / or courier services.

At the same time, during the investigation it was found that at the level of the residential complex the access control was performed through the video surveillance system, and the Owners Association could not prove compliance with the principle of storage limitation, established by art. 5 para. (1) lit. e) of the RGPD, respectively the establishment of adequate image storage deadlines, finding the existence of stored images with an age of approximately one and a half years.

In this context, we emphasize that according to art. 4 point 7 of the RGPD, the operator establishes the purpose and the means of processing, and according to art. 28 para. (3) lit. a) of the RGPD the proxy processes the data only on the basis of documented instructions from the operator.

We also remind you that according to art. 5 of the RGPD, the operator must comply with the principles of data processing, including those on “legality, fairness and transparency”, “data minimization” and “storage limitation”. At the same time, the operator is responsible for compliance with the principles and must demonstrate this compliance ("liability principle").

Legal and Communication Department

A.N.S.P.D.C.P.

@@ Line 72: / Line 72: @@
 === Facts ===
-A building owners association acting as a controller was processing excessive amounts of personal data without properly informing the data subjects, without a legal basis and without respecting the data minimization and storage limitation principles. Namely:
+The controller is a building owners association which mandated a security company to ensure security and protection of their buildings (processor). The data subjects were couriers accessing the building complex of the controller. The investigation of the ANSPDCP  (Romania), which was initiated upon a complaint, revealed that processor was collecting a big amount of personal data of the couriers on behalf of the controller. The processor was instructed by the controller to keep an access register of couriers entering the residential complex and note the following information there: name, surname, number of the ID card, destination, time of arrival, time of departure, observations. The DPA further found in its investigation that a video surveillance system was installed at the entrance of the building complex to monitor who is entering the complex and that the video footage captured by this surveillance system was stored longer than necessary.
-* the building owners association acting as a controller instructed one of its processors, a security company, to collect high amounts of personal data (name, surname, personal number, destination, arrival time, leaving time and other remarks) exclusively for the persons entering the building complex and providing delivery services and couriers.
-* the video footage captured by the surveillance cameras of the building complex was stored and kept longer than what it was necessary to fulfil the desired purpose.
 === Holding ===
-Following a complaint against the excessive data collection practised by the security agents of a building complex, the Romanian DPA started an investigation against the security company. However, during the investigation, it was found that the security company was acting as a processor on behalf of a building owners association and it was collecting personal data according to the controller's instructions. More precisely, the security guards were collecting the name, surname, personal number, destination, arrival time, leaving time and other remarks of the delivery providers, and this data was kept in an internal register for access. Nevertheless, the entire processing occurred without a proper information of the data subjects, without a legal basis and without respecting the data minimisation principle, in breach of GDPR Articles 5(1)a, b, (2) and 6.
+The Romanian DPA fined the controller €7000 for violating [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 5 GDPR#1c|(c)]], [[Article 5 GDPR#1e|(e)]], [[Article 5 GDPR#2|(2) GDPR]]  and [[Article 6 GDPR]] by processing the personal data without a legal basis, by violating the principles of data minimisation and storage limitation. €2,000 (RON 9,885.80) of the fine was for the violation of [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 5 GDPR#1c|(c)]] [[Article 5 GDPR#1c|(2) GDPR]] and [[Article 5 GDPR#1c|Article 6 GDPR]] by keeping the access register and €5,000 (RON 24,714.50) for the violation of [[Article 5 GDPR#1e|Article 5(1)(e)]], [[Article 5 GDPR#2|(2) GDPR]] by storing the video footage longer than necessary for the purpose of monitoring the access to the complex.
-Additionally, during the investigation, the DPA found that the video surveillance systems aiming to control the access to the building complex did not respect the storage limitation principle, and ware storing the video footage longer than necessary to achieve the desired purpose, in breach of Article 5(1)e and (2).
-As a result, the building owners association was fined the equivalent of:
-* €2,000 (RON 9,885.80) for the breach relating to the data collection of the delivery provider, and
-* €5,000 (RON 24,714.50) for the breach relating to the long storage of data collected through surveillance cameras.
-Additionally, the DPA imposed the following corrective measures against the building owners association:
+Additionally, the DPA ordered the controller under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] to bring is processing into compliance with the GDPR by:
-* the controller must review its technical and organisational measures and implement adequate retention periods;
+# reviewing and updating the technical and organisational measures on the basis of a risk assessement, especially establishing a deadline after which collected data is anonymised and which is in accordance with the storage limitation principle.
-* the controller must implement the proportionality and storage limitation principles in its practices.
+# evaluating the processing carried out to implement the necessary measures to comply with the principles of [[Article 5 GDPR]].
 == Comment ==