The Romanian DPA applies a EUR 10,000 fine for unlawful disclosure of an audio-visual recording on social media

25.08.2023

On 23 August 2023, the Romanian DPA announced a fine of EUR 10,000 imposed against a controller for several GDPR violations, including infringements of the rules on lawfulness of processing, processing of special categories of data, right to erasure, and security of processing.

The fine was applied following an investigation triggered by a complaint claiming that the controller disclosed the personal data of the complainant (customer of the controller) by posting an audio-video recording on its social media pages.

Further to the investigation, the Romanian DPA found that the controller:

disseminated the complainant’s data from the audio-video recording via its social media pages and used in the comments a name revealing the complainant’s ethnic origin, without any legal basis;
did not comply with the complainant’s request to delete the data;
did not adopt sufficient appropriate technical and organizational measures to ensure the confidentiality of the personal data processed through the audio-video surveillance system.

The Romanian DPA also applied three corrective measures, the controller being ordered to:

ensure GDPR compliance of personal data processing operations, including by developing written procedures;
comply with the request for the erasure of the complainant’s personal data related to the posts on the controller’s social media pages;
implement appropriate technical and organizational measures, in particular in terms of training the persons processing data under the controller’s authority (employees or collaborators), by organizing regular training sessions with them on their obligations regarding the processing of personal data through the video surveillance system, establishing the conditions under which images or audio-video recordings can be accessed by a limited number of persons based on individual credentials, regularly verifying access to image recordings, as well as the early detection, management and reporting of personal data breaches.

The press release is available here (only in Romanian).

Tags:Corrective measuresDPADPA investigationGDPR fineLawfulness of processingRight to erasureSecurity of processingsensitive dataUpdateVideo Surveillance

-                                        Number of fines
-                                        Highest fine
+,000 €
-                                        Lowest fine
+€
-                                        Total amount of fines
+,000 €
-                                        Number of corrective measures
-                                        Number of fines triggered by data breach notifications
-                                        Number of fines triggered by complaints
-                                        Legal provisions mentioned in press releases
+                                        Article 24 (1), Article 32 (1) b), d), (2) of GDPR, Article 18 (2) of Law 102/2005

Dismissal of the data protection officer

Minimum data protection checklist on future law on whistleblowing protection

Introducing NIS 2 – main things to know and follow

Iurie Cojocaru

Partner, Head of the Data Protection practice

Roxana Ionescu

(1981-2023)

Statistics

Subscribe to NNDKP’s newsletters

Statistics

More In the spotlight

Statistics

Subscribe to NNDKP’s newsletters