On 25 September 2023, the Romanian DPA announced the following sanctions against local public administration authority:
- a fine of LEI 10,000 (approximately EUR 2,000) for failing (i) to implement the measures previously ordered under a remedial plan and (ii) to respond to the DPA’s requests;
- a warning for failing (i) to inform data subjects of their rights under the GDPR and (ii) to adopt adequate security and confidentiality measures for data processing through the video surveillance system.
The sanctions stemmed from a complaint concerning potential GDPR violations through video surveillance cameras used to monitor and check all town hall employees. Further to the investigation, the DPA determined that the sanctioned controller failed to implement measures previously mandated under a remedial plan and did not respond to the DPA’s requests.
During the same investigation, the DPA also concluded that the controller did not provide evidence of (i) informing data subjects about their rights under the GDPR, nor (ii) implementing appropriate security and confidentiality measures to protect personal data processed through the owned video surveillance system.
In addition to the above sanctions, the Romanian DPA applied corrective measures, ordering the controller to:
- comply with all requests from the DPA as outlined in the remedial plan;
- implement appropriate security and confidentiality measures for the protection of personal data processed through the video surveillance system;
- provide copies of the procedures adopted, along with evidence of the training of individuals with access to the images captured through the video surveillance system;
- take the necessary steps to ensure that the data subjects are informed about their rights provided for by the GDPR.
The press release is available here, in the Romanian language.