ANSPDCP (Romania) - Prestige Media PHG SRL
| ANSPDCP - Prestige Media PHG SRL | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(2) GDPR Article 6 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 08.11.2022 |
| Fine: | 5,000 EUR |
| Parties: | Prestige Media PHG SRL |
| National Case Number/Name: | Prestige Media PHG SRL |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | Daniela Duta |
The Romanian DPA fine a controller €5,000 for publishing 23 termination of employment relationship decisions of employees from another company on its website.
English Summary
Facts
The investigation was started by the ANSPDCP as a result of a notification regarding a possible violation of the GDPR provisions by publishing on the controller's website confidential documents, including the termination of employment relationship decisions of some employees of another company.
In the course of the investigation, it was found that 23 nominal termination of employment relationship decisions containing personal data (name, surname, position, employment contract number, disciplinary violations) were displayed on that website although they had no legal relationship with Prestige Media PHG SRL.
It was also noted that the controller did not present evidence from which it could be concluded that he legally processed the personal data from the 23 documents in the context of unauthorized disclosure in the online environment, by publishing them on his website.
Holding
In October 2022, the Romanian DPA completed an investigation at the controller Prestige Media PHG SRL and found a violation of the provisions of the Article 5(1)(a) GDPR and the Article 5(2) GDPR and the Article 6 GDPR.
The DPA fined the controller €5,000.
At the same time, the controller was also applied the corrective measure of elimination/anonymization of the information that allows the identification of the data subject from the termination of employment relationship decisions, published on its website.
Comment
The Romanian DPA rarely published full decisions. This summary is based on a press release of the Romanian DPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
08.11.2022 Fine for GDPR violation In October 2022, the National Supervisory Authority completed an investigation at SC Prestige Media PHG SRL and found a violation of the provisions of art. 5 para. (1) lit. a) and para. (2) and art. 6 of the General Data Protection Regulation (RGPD). In this context, SC Prestige Media PHG SRL was fined 24,683.5 lei (the equivalent of 5,000 EURO). The investigation was started as a result of a notification regarding a possible violation of the RGPD provisions by publishing on the operator's website some confidential documents, including decisions to terminate the individual employment contracts of some employees of another company. In the course of the investigation, it was found that 23 nominal termination decisions of individual mandate contracts/employment relationships containing personal data (name, surname, position, employment contract number, disciplinary violations) were displayed on that website. to many individuals, although they had no legal relationship with SC Prestige Media PHG SRL. It was also noted that the operator did not present evidence from which it could be concluded that he legally processed the personal data from the 23 documents in the context of unauthorized disclosure in the online environment, by publishing them on his website, according to the provisions of art. 6 of the GDPR. As such, the National Supervisory Authority found the violation by SC Prestige Media PHG SRL of the principles of personal data processing provided for in art. 5 para. (1) lit. a) and para. (2) and of art. 6 of the GDPR. At the same time, the operator was also applied the corrective measure of elimination/anonymization of the information that allows the identification of the persons concerned from the decisions to terminate the mandate contracts/employment reports published on its website. Legal and Communication Department A.N.S.P.D.C.P.
