ANSPDCP (Romania) - Fine against Denmar Nacrut SRL
|ANSPDCP - Fine against Denmar Nacrut SRL|
|Relevant Law:||Article 5(1)(b) GDPR|
Article 5(1)(c) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 12 GDPR
Article 13 GDPR
|Parties:||Denmar Nacrut SRL|
|National Case Number/Name:||Fine against Denmar Nacrut SRL|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
|Initial Contributor:||Diana Rosu|
The Romanian DPA fined a beauty salon €2,500 because it had CCTV cameras installed inside and outside of the salon, excessively surveilling both its clients and its employees without clearly informing them.
English Summary[edit | edit source]
Facts[edit | edit source]
The Romanian DPA started an investigation into Denmar Nacrut SRL, a beauty salon (controller) after it received a complaint about excessive surveillance systems. During the investigation, the DPA found that the controller had installed CCTV cameras inside and outside its beauty salon, surveilling both its clients and its employees (data subjects) without clearly informing them.
Holding[edit | edit source]
The DPA noted that the data subject were not clearly informed about this data processing pursuant to the requirements of Article 12 and 13 GDPR. The DPA fined the controller approximately €1,500 for this violation.
Since the data subjects did not consent and there was no other legal basis for the surveillance, the controller would need to have a legitimate interest for these processing activities (Article 6(1)(f) GDPR). The DPA noted that the controller did not provide any reason (such as previous incidents) to justify its legitimate interest regarding the excessive surveillance system. In particular, the controller failed to provide a reason that would override the interests of the data subjects. Thus, the processing activities were excessive and not limited to what was necessary to reach the desired purpose.
This amounts to a total fine of €2,500.
The DPA also ordered to controller to:
- properly inform the data subjects according to the requirements of Articles 12-13;
- stop the video surveillance when there is no legal ground to do so;
- implement the necessary technical and organisational measures to lawfully manage the video surveillance; and
- to restrict the remote and continuous access to the video captions, and only allow accessing those captions in special cases such as incidents.
Comment[edit | edit source]
The press release* did not mention the controller's initial purpose for the surveillance activites (if there was any). However it does refer to 'incidents', which could mean theft e.g.
*The Romanian DPA only publishes press releases of it's decisions.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
08/09/2022 Penalty for GDPR violation In July 2022, the National Supervisory Authority completed an investigation at the operator Denmar Nacrut SRL and found a violation of the provisions of art. 12, art. 13, as well as art. 5 para. (1) lit. a), b) and c), related to art. 5 para. (2) and art. 6 of the General Data Protection Regulation. As such, the operator was penalized as a contravention, as follows: fine in the amount of 4,945.10 lei (the equivalent of 1000 EURO), for violating the provisions of art. 12-13 of the General Data Protection Regulation; fine in the amount of 7,417.65 lei (the equivalent of 1500 EURO), for violating the provisions of art. 5 para. (1) lit. a), b) and c), related to art. 5 para. (2) and art. 6 of the General Data Protection Regulation. At the same time, under art. 58 para. (2) lit. d) from the General Data Protection Regulation, the following corrective measures were ordered against the operator: ensuring the information of the concerned persons through the communication in a concise, transparent, intelligible and easily accessible form of all the information provided by art. 13 of the General Data Protection Regulation and under the conditions of transparency referred to in art. 12 of the same regulation; eliminating the use of the video surveillance camera installed at the cosmetic room level for which there is no express legal basis for processing the personal data of its customers and employees according to art. 6 of the General Data Protection Regulation; ensuring compliance with the General Data Protection Regulation of personal data processing operations, by implementing appropriate technical and organizational measures and establishing appropriate rules related to the management of images captured by surveillance cameras; prohibiting remote access via the Internet to images and recordings, as well as accessing images and recordings only in the event of incidents related to the purpose of installing these surveillance cameras. The investigation was started as a result of a report through which a natural person signaled the fact that the targeted persons, clients of SC Denmar Nacrut SRL, were being monitored by video during the provision of cosmetic services. During the investigation, it was found that Denmar Nacrut SRL has a video surveillance system installed both inside and outside the space where the operator operates, which monitors both employees and customers. It was also noted that the operator did not prove that it had provided clear, complete and correct information to its employees and the persons concerned whose personal data (ie the image) is processed through video surveillance cameras, by communicating all the information provided by art. 13 of the General Data Protection Regulation and under the transparency conditions of art. 12 of the same regulation. At the same time, it turned out that Denmar Nacrut SRL did not prove any previously existing incidents that would justify its legitimate interest that prevailed over the interests or fundamental rights and freedoms of the persons concerned. Thus, it was found that the operator excessively processed the data (images) of its customers and employees, through the video camera installed in the premises where cosmetic treatments were performed. The data thus processed were not adequate, relevant and limited to what is necessary in relation to the purposes for which they were processed ("data minimization"). The operator's stated purpose could be achieved by means less intrusive to the privacy of its customers and employees. As such, the violation of the provisions of art. 5 para. (1) lit. a), b) and c) of the General Data Protection Regulation related to the conditions regarding the legality of the processing established by art. 6 of the same regulation. In addition, the operator could not demonstrate compliance with the principles of processing according to art. 5 para. (2) of the General Data Protection Regulation. Legal and Communication Department A.N.S.P.D.C.P.