ANSPDCP (Romania) - Fine against LORIS FUEL SHOP SRL

From GDPRhub
Revision as of 14:37, 18 May 2022 by SR (talk | contribs) (→‎Comment)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against LORIS FUEL SHOP SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 29 GDPR
Article 32(4) GDPR
Article 58(2)(d) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 12.05.2022
Fine: 1000 EUR
Parties: LORIS FUEL SHOP SRL
National Case Number/Name: Fine against LORIS FUEL SHOP SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a gas station €1,000 for not implementing appropriate technical and organisational measures against unauthorised access to video footage captured by its surveillance cameras.

English Summary

Facts

The controller - LORIS FUEL SHOP SRL - is a gas station. The data subject complained to the ANSPDCP (Romania) that images of him taken by a video surveillance system installed in the controller's gas station were published on Facebook without his consent. In its investigation of the incident, the ANSPDCP found that the controller did not sufficiently train its employees to handle personal data captured by the video surveillance system which let to third parties viewing and filming the images of the video cameras.

Holding

The ANSPDCP fined LORIS FUEL SHOP SRL €1,000 for violating Articles 29 and 32(4) GDPR by not implementing the necessary technical and organisational measures to protect the video footage from unauthorised access. Furthermore, it instructed the controller to ensure compliance with the GDPR by implementing appropriate technical and organizational measures, especially in the form of training its employees, verifying access to the stored video recordings and implementing measures to rapidly detect, manage and report data breaches.

Comment

As for the instruction to ensure compliance with the GDPR, the ANSPDCP did not explicitly refer to Article 58(2)(d) GDPR but it can be assumed that the instruction is based on this provision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

12.05.2022

Sanction for violating the RGPD



The National Supervisory Authority completed in April 2022 an investigation at the operator LORIS FUEL SHOP SRL and found the violation of the provisions of art.29 and art.32 par. (4) of the General Data Protection Regulation (RGPD).

The operator LORIS FUEL SHOP SRL was sanctioned with a fine in the amount of 4,941.3 lei, the equivalent of 1,000 EURO.

The investigation was initiated following a complaint in which the petitioner claimed the publication on Facebook of some images in which he was caught and which came from the monitor belonging to a video surveillance system installed in a gas station in Harghita County.

During the investigation, it was found that the operator LORIS FUEL SHOP SRL, as a proxy, did not adopt sufficient appropriate technical and organizational measures to ensure the confidentiality of personal data processed on images recorded through the television system installed in the stations used, in especially in terms of training data controllers under its authority (employees). This led to the viewing and filming by unauthorized third parties of the images of the video cameras from the working point in Harghita County, later being revealed on a social network, thus violating the provisions of art. 29 and 32 para. (4) of Regulation (EU) 2016/679.

At the same time, during the investigation of the operator LORIS FUEL SHOP SRL, a corrective measure was applied to ensure compliance with RGPD of personal data processing operations, by implementing appropriate technical and organizational measures, especially in terms of training data processors under the authority (employees or collaborators), by regularly organizing training sessions with them, in connection with their obligations regarding the processing of personal data through the video system installed in stations, the verification of access to recordings of images stored on DVR, rapid detection, management and reporting of personal data breaches.



Legal and Communication Department

A.N.S.P.D.C.P