ANSPDCP (Romania) - Fine against Concordia Capital IFN S.A.
|ANSPDCP - Fine against Concordia Capital IFN S.A.|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 5 Law no. 190/2018
|Parties:||Concordia Capital IFN S.A.|
|National Case Number/Name:||Fine against Concordia Capital IFN S.A.|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
|Initial Contributor:||Diana Rosu|
The Romanian DPA fined a controller EUR 4,000 for installing video surveillance systems in its offices and monitoring its employees, without a legal basis in breach of Article 6 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
After the controller Concordia Capital IFN S.A. installed surveillance cameras inside its offices, its employees filed a complaint with the Romanian DPA.
Holding[edit | edit source]
The Romanian DPA started an investigation and found that:
- the purpose used to install surveillance cameras, and therefore to process its employees' personal data, was not justified and less intrusive measures could have been used to reach the same purpose (physical security);
- the controller processed the personal data without a legal basis in breach of Article 6 GDPR and without respecting the data processing principle stated in Article 5(1)(a), (b), (c) GDPR and 5(2) GDPR;
- the controller did not use the video surveillance systems according to the legal requirements of Article 5 of the national law no. 190/2018 which regulates the conditions of installing video surveillance at the workplace in conjunction with Article 6(1)(f) GDPR.
As a result, the controller was fined approximately EUR 4,000 (RON 19,772.4).
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
04.05.2022 A new sanction for violating the RGPD In April 2022, the National Supervisory Authority completed an investigation at the Concordia Capital IFN S.A. and found a violation of the provisions of art. 5 and art. 6 of the General Data Protection Regulation. Concordia Capital IFN S.A. was sanctioned with a fine in the amount of 19,772.4 lei (equivalent to the amount of 4000 EURO). The sanction was applied as a result of a complaint alleging that the operator installed audio-video cameras in the offices of his employees in violation of the legal provisions on the protection of personal data. In the investigation initiated by the Supervisory Authority, the following were found: that the operator has not proved that the purpose of its rules of procedure (ensuring the protection of persons, property and valuables of the employer and employees) is justified and that other less intrusive means have been used to achieve it which have not proved effective, prior to the adoption of the decision taken in 2020 to use monitoring systems by electronic means of communication and / or by means of video surveillance at work; that the operator did not present evidence regarding the observance of the processing principles regulated by art. 5 para. (1) lit. a), b), c) and par. (2) and the legality conditions provided by art. 6 of the General Regulation on Data Protection, which allows Concordia Capital IFN SA to use the means of video surveillance inside the offices used by its employees and implicitly the processing in this way of the personal data of the persons working in these spaces; that the operator did not present evidence showing that he fulfilled all the conditions provided by art. 5 of Law no. 190/2018. In this context, we specify that, by reference to art. 6 lit. f) of the General Regulation on Data Protection, the provisions of art. 5 of Law no. 190/2018 establish the following: "If monitoring systems are used by electronic means of communication and / or by means of video surveillance at work, the processing of personal data of employees, in order to achieve the legitimate interests pursued by the employer, is allowed only if: a) the legitimate interests pursued by the employer are duly justified and prevail over the interests or the rights and freedoms of the data subjects; b) the employer has provided mandatory, complete and explicit prior information to employees; c) the employer consulted the union or, as the case may be, the employees' representatives before the introduction of the monitoring systems; d) other less intrusive forms and methods for achieving the goal pursued by the employer have not previously proved their effectiveness; and e) the duration of storage of personal data is proportional to the purpose of processing, but not more than 30 days, except in situations expressly regulated by law or in duly justified cases. " Legal and Communication Department A.N.S.P.D.C.P.