On 23 March 2023, the Romanian DPA announced that it had fined a controller with:
- EUR 3,000 for failure (i) to comply with the principles of lawfulness, fairness and transparency, data minimization, storage limitation and accountability (Article 5(1)(a), (c), (e) and (2) of the GDPR) and (ii) to ensure the lawfulness of processing (Article 6 of the GDPR)
- EUR 2,000 for failure to comply with the principles of storage limitation and accountability (Article 5(1)(e) and (2) of the GDPR).
The investigation was initiated following a complaint received by the Romanian DPA from an employee of the controller. The complainant alleged that the controller had processed his/her personal data through the GPS installed in the company vehicle used by the complainant without informing him/her about the monitoring, the purpose and legal basis of such processing, and the duration of storage of the personal data collected.
The complainant also alleged that the controller used the information collected using the GPS for another purpose than monitoring the company vehicle used by the complainant.
The Romanian DPA found that the controller:
- excessively processed (outside working hours) the complainant’s location data using the GPS installed in the company vehicle used by the complainant, without having demonstrated that it had previously exhausted other less intrusive methods to achieve the purpose of the processing and without having demonstrated that the complainant had been fully informed of the processing
- stored the personal data for more than 30 days required by Article 5 of Law No. 190/2018 without providing evidence that exceeding the period was based on legitimate reasons
- used the complainant’s personal data collected using the GPS for another purpose than that for which the personal data have originally been collected.
The Romanian DPA also imposed two corrective measures on the controller, namely:
- to reassess the necessity of the processing in view of the requirements under the GDPR and Law No. 190/2018
- to store the personal data only for the necessary period with reference to the purposes of the processing, in accordance with the requirements under the GDPR and Law No. 190/2018.
The press release is available here (only in Romanian).