The Romanian DPA applies a EUR 10,000 fine for unlawful disclosure of an audio-visual recording on social media


On 23 August 2023, the Romanian DPA announced a fine of EUR 10,000 imposed against a controller for several GDPR violations, including infringements of the rules on lawfulness of processing, processing of special categories of data, right to erasure, and security of processing.

The fine was applied following an investigation triggered by a complaint claiming that the controller disclosed the personal data of the complainant (customer of the controller) by posting an audio-video recording on its social media pages.

Further to the investigation, the Romanian DPA found that the controller:

  • disseminated the complainant’s data from the audio-video recording via its social media pages and used in the comments a name revealing the complainant’s ethnic origin, without any legal basis;
  • did not comply with the complainant’s request to delete the data;
  • did not adopt sufficient appropriate technical and organizational measures to ensure the confidentiality of the personal data processed through the audio-video surveillance system.

The Romanian DPA also applied three corrective measures, the controller being ordered to:

  • ensure GDPR compliance of personal data processing operations, including by developing written procedures;
  • comply with the request for the erasure of the complainant’s personal data related to the posts on the controller’s social media pages;
  • implement appropriate technical and organizational measures, in particular in terms of training the persons processing data under the controller’s authority (employees or collaborators), by organizing regular training sessions with them on their obligations regarding the processing of personal data through the video surveillance system, establishing the conditions under which images or audio-video recordings can be accessed by a limited number of persons based on individual credentials, regularly verifying access to image recordings, as well as the early detection, management and reporting of personal data breaches.

The press release is available here (only in Romanian).