On 12 December 2024, the Romanian DPA announced a fine of the RON equivalent of EUR 4,000 imposed on a controller offering public transport services for violation of the GDPR. The violations pertained to the controller’s excessive monitoring of its employees.
The fine was applied following an investigation triggered by a complaint stating that the controller installed in its vehicles audio-video surveillance systems aimed at the company’s vehicle operators with available remote access.
Further to the investigation, the Romanian DPA found that the controller unlawfully processed the personal data of a large number of driver employees, namely image and voice through the audio-video surveillance system installed inside the driver cabins of public transport vehicles. The surveillance was also found to breach passengers’ rights in respect of the collection of their sounds/voice through the cameras installed. Moreover, it was uncovered that the images and audio captured by the surveillance cameras were used by the controller for other purposes, including to the detriment of employees, in the course of the investigation and disciplinary proceedings.
The Romanian DPA also applied one corrective measure, the controller being ordered to reassess the need to use audio-video surveillance cameras installed inside the driver cabins of public transport vehicles and, as well as the need to use the audio option of surveillance cameras installed in the vehicles.
The press release is available here (only in Romanian).
