ANSPDCP (Romania) - Fine against Asociația de Proprietari Aviației Park
| ANSPDCP - Fine against Asociația de Proprietari Aviației Park | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(2) GDPR Article 6 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 27.05.2022 |
| Published: | 20.06.2022 |
| Fine: | 7000 EUR |
| Parties: | n/a |
| National Case Number/Name: | Fine against Asociația de Proprietari Aviației Park |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | Diana Rosu |
The Romanian DPA fined a building owners association the equivalent of €7,000 for processing personal data without a legal basis, without properly informing the data subjects and for breaching the data minimisation and storage limitation principles.
English Summary
Facts
A building owners association acting as a controller was processing excessive amounts of personal data without properly informing the data subjects, without a legal basis and without respecting the data minimization and storage limitation principles. Namely:
- the building owners association acting as a controller instructed one of its processors, a security company, to collect high amounts of personal data (name, surname, personal number, destination, arrival time, leaving time and other remarks) exclusively for the persons entering the building complex and providing delivery services and couriers.
- the video footage captured by the surveillance cameras of the building complex was stored and kept longer than what it was necessary to fulfil the desired purpose.
Holding
Following a complaint against the excessive data collection practised by the security agents of a building complex, the Romanian DPA started an investigation against the security company. However, during the investigation, it was found that the security company was acting as a processor on behalf of a building owners association and it was collecting personal data according to the controller's instructions. More precisely, the security guards were collecting the name, surname, personal number, destination, arrival time, leaving time and other remarks of the delivery providers, and this data was kept in an internal register for access. Nevertheless, the entire processing occurred without a proper information of the data subjects, without a legal basis and without respecting the data minimisation principle, in breach of GDPR Articles 5(1)a, b, (2) and 6.
Additionally, during the investigation, the DPA found that the video surveillance systems aiming to control the access to the building complex did not respect the storage limitation principle, and ware storing the video footage longer than necessary to achieve the desired purpose, in breach of Article 5(1)e and (2).
As a result, the building owners association was fined the equivalent of:
- €2,000 (RON 9,885.80) for the breach relating to the data collection of the delivery provider, and
- €5,000 (RON 24,714.50) for the breach relating to the long storage of data collected through surveillance cameras.
Additionally, the DPA imposed the following corrective measures against the building owners association:
- the controller must review its technical and organisational measures and implement adequate retention periods;
- the controller must implement the proportionality and storage limitation principles in its practices.
Comment
This fine was among the highest imposed by the Romanian DPA.
The Romanian DPA publishes only press releases, therefore no more information was available on the decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
20.06.2022
Sanction for violating the RGPD
The National Supervisory Authority completed, on 27.05.2022, an investigation at the operator of the Park Aviation Owners Association, following which the violation of the provisions of the General Data Protection Regulation (RGPD) was found, the operator being sanctioned with a fine as follows:
fine in the amount of 9,885.80 lei, the equivalent of 2000 EURO for violating the provisions of art. 5 para. (1) lit. a) and c) and par. (2) by reference to art. 6 of the RGPD, as the controller has excessively processed the personal data (name, surname, series and number of the identity document, destination, time of arrival, time of departure, observations) of the deliverers and / or couriers as data subjects, without a justified legal basis related to the purpose of the processing (control of access to the residential complex) and without providing evidence that it provides accurate and complete information to the data subjects, and that the data processed are adequate, relevant and limited to what is necessary in relation to purpose of processing; fine in the amount of 24,714.50 lei, the equivalent of 5000 EURO for violating the provisions of art. 5 para. (1) lit. e) and para. (2) of the RGPD, because the operator has not established a period of storage of personal data processed through the video surveillance system (images) and stored them for a longer period than necessary to fulfill the purpose for which they are processed, respectively the control of the access in the condominium, although it had the obligation to keep the images in a form that would allow the identification of the data subjects for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed.
At the same time, pursuant to art. 58 para. (2) lit. d) of the RGPD, the following corrective measures were ordered against the operator:
Review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the procedures for the protection of personal data and the establishment of deadlines for keeping data in a form that allows the identification of data subjects for a period does not exceed the time required to fulfill the purposes for which the data are processed. Evaluation of the processing performed taking into account the principle of proportionality and minimization of data related to the purpose and legal basis of the processing and implementation of the necessary measures to comply with the principles related to the processing of personal data provided by art. 5 of the RGPD.
The investigation was initiated following a complaint alleging a possible breach of the provisions of the RGPD, as the representatives of the security company collected and processed personal data for the purpose of accessing persons at the entrance to the residential complex, meaning that they requested a series of data to persons entering the complex and noting them in an internal register.
The investigation revealed that the processing of data for access to the residential complex was carried out under a security contract concluded between the owners' association (operator) and the security company (proxy), by which the association mandated the security company to ensure security and protection of the target by security guards and complete the register of access to persons. In this regard, the operator issued for the power of attorney the instruction according to which the agencies performing the security services complete the Register of Access to Persons with the personal data mentioned in its fields, respectively name, surname, series and no. identity card, destination, time of arrival, time of departure, remarks, exclusively for delivery and / or courier services.
At the same time, during the investigation it was found that at the level of the residential complex the access control was performed through the video surveillance system, and the Owners Association could not prove compliance with the principle of storage limitation, established by art. 5 para. (1) lit. e) of the RGPD, respectively the establishment of adequate image storage deadlines, finding the existence of stored images with an age of approximately one and a half years.
In this context, we emphasize that according to art. 4 point 7 of the RGPD, the operator establishes the purpose and the means of processing, and according to art. 28 para. (3) lit. a) of the RGPD the proxy processes the data only on the basis of documented instructions from the operator.
We also remind you that according to art. 5 of the RGPD, the operator must comply with the principles of data processing, including those on “legality, fairness and transparency”, “data minimization” and “storage limitation”. At the same time, the operator is responsible for compliance with the principles and must demonstrate this compliance ("liability principle").
Legal and Communication Department
A.N.S.P.D.C.P.
