On 13 November 2024, the Romanian DPA announced a fine of the RON equivalent of EUR 4,000 imposed on a controller in the HR Industry for violation of the GDPR. The violations pertained to the controller’s unlawful monitoring of employees’ vehicles.
The fine was applied following an investigation triggered by a complaint submitted by an employee claiming that the controller had monitored the location of their assigned company vehicle via the installed GPS monitoring system, while they were out of working hours, including during leave periods.
Further to the investigation, the Romanian DPA found the controller in breach of the principles of processing of personal data, relating to lawfulness and transparency and data minimization. Moreover, it was found that the controller stored data collected via the GPS monitoring system for periods exceeding the 30 days legal term, for which it was issued a written warning.
The Romanian DPA also applied two corrective measures, the controller being ordered to:
- re-asses the need to use data from the GPS monitoring system installed in the company vehicles;
- limit the data storage period in relation to the purposes of data processing and remove excessively stored/processed data from the log system.
The press release is available here (only in Romanian).
