ANSPDCP - Warning issued to Bucharest Municipality (District 4)
|ANSPDCP - Warning issued to Bucharest Municipality (District 4)|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 6(1) GDPR
Articles 12-14 Law no. 190/2018
|National Case Number/Name:||Warning issued to Bucharest Municipality (District 4)|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
|Initial Contributor:||Stefan Musat|
The Romanian DPA (ANSPDCP) issued a warning against the Bucharest Municipality - District 4 as the General Directorate of 4th District Local Police breached Articles 5(1)(a) and 6(1) GDPR. The warning was issued along with a corrective measure.
English Summary[edit | edit source]
Facts[edit | edit source]
The Romanian DPA (ANSPDCP) received a complaint regarding the violation of the GDPR by the General Directorate of 4th District Local Police regarding the personal data processed using portable audio-video surveillance means. The "BADGE" surveillance portable device was used by the staff of the Local Police in missions and activities carried out in the field.
Dispute[edit | edit source]
Does the controller processed the personal data using the "BADGE" surveillance portable device (which processes image and voice) according to Article 5(1)(a) GDPR and Article 6(1) GDPR?
Holding[edit | edit source]
The ANSPDCP found that the staff of the General Directorate of 4th District Local Police were hierarchically obliged to wear audio-video surveillance devices ("BADGE" type) during their working hours, without any legal provisions in force to govern the use of portable audio-video surveillance systems in the activity of local police officers. Therefore, the personal data (image and voice) were processed without a legal basis by using audio-video surveillance devices ("BADGE" type). The Romanian DPA issued the warning because the controller processed the personal data (image, voice) without fulfilling the legality conditions provided in Article 6(1) GDPR. In addition, the ANSPDCP applied a corrective measure through a remediation plan according to which the controller must ensure the compliance of the processing operations, performed by using the "BADGE" surveillance portable device, with the provisions of Article 5 and Article 6 GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
The National Supervisory Authority completed on 11.12.2020 an investigation at ATU Sector 4 Bucharest, represented by the Mayor, for the General Directorate of Local Police Sector 4 and found the violation of the provisions of art. 5 para. (1) lit. a) reported to art. 6 para. (1) of the General Data Protection Regulation. The operator was sanctioned with a warning, accompanied by the following corrective measure, ordered by the remediation plan, respectively to ensure the compliance of the processing operations, performed by using the means of audio-video surveillance type "BADGE", with the provisions of Article 5 and Article 6 of the RGPD. The corrective measure was applied based on the provisions of art. 58 para. (2) lit. i) of the General Regulation on Data Protection, corroborated with the provisions of art. 12-14 of Law no. 190/2018 on measures for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing of Directive 95/46 / EC (General Data Protection Regulation). The investigation was launched following the receipt of a complaint regarding the violation of data protection legislation and it was found that the General Directorate of Local Police Sector 4 processes personal data through portable audio-video surveillance means, type "BADGE", used by the staff of the Directorate in missions and activities carried out in the field, in the context in which the local police officers were hierarchically established the obligation to carry on them, during the working hours, these means of audio-video surveillance. At the time of the investigation, it was found that there were no legal provisions governing the use of portable audio-video surveillance systems in the activity of local police officers. As such, it was found that the processing of personal data (image, voice) was carried out without meeting the conditions of legality of processing, as provided in art. 6 para. (1) of the RGPD. We specify that, according to art. 5 para. (1) lit. a) of the RGPD, the operator had the obligation to process the data legally, equitably and transparently to the data subjects. In accordance with the above, recital 41 states that a legislative measure should be clear and precise and that its application should be foreseeable for the persons concerned by it, in accordance with the case law of the Court of Justice of the European Union ("Court of Justice") and the European Court of Human Rights. In addition, recital (45) of the RGPD states: “Where the processing is carried out in accordance with a legal obligation of the controller or if the processing is necessary for the performance of a task which serves a public interest or is part of the processing authority should have a basis in Union or national law. This Regulation does not require the existence of a specific law for each individual processing. A single law may be sufficient as a basis for several processing operations carried out in accordance with a legal obligation of the controller or where the processing is necessary for the performance of a task which serves a public interest or which is part of the exercise of public authority. The purpose of the processing should also be laid down in Union or national law. Moreover, that right could specify the general conditions of this Regulation governing the lawfulness of the processing of personal data, determine the specifications for establishing the controller, the type of personal data subject to processing, data subjects, entities to whom personal data, limitations on purpose, storage period and other measures may be disclosed to ensure lawful and equitable processing. Legal and Communication Department ANSPDCP