The Romanian DPA has imposed a fine of €2,000 and issued two warnings for several GPS-related violations

03.10.2024

On 2 September 2024, the Romanian DPA announced that it had imposed a fine of €2,000 and issued two warnings against a major data controller in the construction and infrastructure sector for breaching the GDPR.

The sanctions were imposed following an investigation launched after receiving several complaints from a data subject, an employee of the data controller, who complained about being monitored by a GPS system without being informed about its existence.

Details of the violations

The DPA’s investigations revealed three main areas of concern, each leading to separate sanctions:

  • the lack of evidence that other less intrusive methods have previously been used to achieve the purpose of the processing (mainly referring to travel sheets and monthly timesheets) and the absence of a clearly established legal basis for the processing of such data (sanctioned with the €2,000 fine);
  • the lack of evidence that the data subject has been fully and transparently informed about the processing of his data collected by the GPS monitoring system installed on the service car (sanctioned with a warning);
  • the storage of data collected through the use of the GPS monitoring system for 6 months in the absence of evidence that the exceeding of the 30-day time limit provided for by Law No. 190/2018 is based on justified reasons (sanctioned with a warning).

Corrective measures imposed

 The Romanian DPA has also imposed the following corrective measures:

  • re-assessing the necessity of achieving the proposed purposes by using data derived from the use of the GPS monitoring system installed in the service cars of the controller’s employees;
  • transparent, accurate and complete information of all data subjects whose personal data are processed by the controller, including the data subject who submitted the complaint;
  • limitation of the data storage period in relation to the purposes of the data processing, in compliance with the obligations laid down in Regulation (EU) 2016/679 and Law No. 190/2018.

The complete press release detailing this decision is available on the Romanian DPA’s website – here (only in Romanian).

Statistics