ANSPDCP (Romania) - 27.12.2022

From GDPRhub
ANSPDCP - Press Communication 27/12/2022
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 29 GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 27.12.2022
Fine: 14,779.80 RON
Parties: n/a
National Case Number/Name: Press Communication 27/12/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: n/a

The Romanian DPA fined a controller €3,000 for not ensuring an adequate protection of personal data against the misuse of a processor. An employee had recorded and shared footage of a security camera, resulting in the publication of personal data online.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller "Kaufland Romania SCS", a chain of commercial stores, was alerted by a data subject that a security video recording, containing images of the data subject showing them in the parking lot of one of the stores owned by the controller, appeared on the web page of a local newspaper.

The controller notified the Romanian DPA of the data security breach pursuant to Article 33 GDPR, prompting an investigation by the DPA.

The investigation revealed that the store manager allowed an employee access to the monitoring room, who captured, with his personal mobile phone, images of the security video recordings that were playing. The employee sent the recordings to a third party via WhatsApp. Later, the images were made public by an online publication. As a result, the image and registration number of a car were made public. Two data subjects were affected by this incident.

The DPA investigated until November 2022.

Holding[edit | edit source]

In its subsequent decision, the DPA held that the controller did not take adequate measures to ensure that any natural person acting under its authority, who has access to personal data, does not process it except at the controller's request. Consequently, the controller did not take adequate measures to continuously protect the data as would have been required by Article 29 GDPR.

Moreover, in violation of Article 32(1)(b), Article 32(2), and Article 34(4) GDPR, the controller had not implemented adequate technical and organizational measures in order to ensure a level of confidentiality and security corresponding to the processing risk generated by the destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data.

Under the provisions of Article 58(2) GDPR, the DPA ordered the controller to apply corrective measure by implementing instructions regarding the prohibition of the use of employees' personal equipment (such as: mobile phone, tablets) to film, take photos, download or distribute security video recordings.

Additionally, the DPA imposed a €3,000 fine on the controller.

Comment[edit | edit source]

Unfortunately, the Romanian DPA only publishes Press Releases and not full decisions.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

27.12.2022

Penalty for GDPR violation



In November 2022, the National Supervisory Authority completed an investigation at Kaufland Romania SCS and found a violation of the provisions of art. 29 and art. 32 para. (1) lit. b) and para. (2) and para. (4) from Regulation (EU) no. 2016/679.

As such, the operator Kaufland Romania SCS was fined 14,779.80 lei (equivalent to 3000 EURO) for contravention.

The investigation was started as a result of a data security breach notification that was sent by the operator based on the provisions of art. 33 of Regulation (EU) 2016/679.

Thus, the operator Kaufland Romania SCS was alerted by a concerned person to the fact that a video recording containing images of his person in the parking lot of one of the stores owned by this commercial chain appeared on the web page of a local newspaper.

During the investigation, it turned out that the store manager allowed an employee access to the monitoring room, who captured, with his personal mobile phone, images of the video recordings that were playing and sent them via WhatsApp to a third party. Later, the images were transmitted by posting them by an online publication. As a result, the image and registration number of the car were revealed, with two persons affected by this incident.

It was found that the operator did not take measures to ensure that any natural person acting under its authority who has access to personal data does not process it except at its request and did not take adequate measures to protect the data on an ongoing basis .

Also, it has not implemented adequate technical and organizational measures in order to ensure a level of confidentiality and security corresponding to the processing risk generated in particular, accidentally or illegally, by the destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data personally transmitted, stored or otherwise processed.

At the same time, under the provisions of art. 58 para. (2) of Regulation (EU) 2016/679, the operator was ordered and the corrective measure to implement instructions regarding the prohibition of the use of employees' personal equipment (such as: mobile phone, tablets) to film/take photos/download/distribute video recordings by using WhatsApp or social networks.



Legal and Communication Department

A.N.S.P.D.C.P