On 7 April 2023, the Romanian DPA announced a EUR 3,000 fine for audio-video monitoring of employees in breach of several processing principles under the GDPR.
The investigation was launched following the receipt of a data subject’s complaint alleging that employees and collaborators of the sanctioned controller are subject to audio-video monitoring at work without their consent.
During the investigation, the Romanian DPA held that the processing of the employees’ personal data by means of this video monitoring system is excessive by reference to the purposes declared by the controller (i.e., monitoring access, ensuring the security of premises and goods, personal safety). This is since such purposes are deemed achievable by less intrusive means for the employees’ privacy. Thus, it was concluded that the said monitoring had been carried out in breach of the following GDPR provisions:
- Article 5 (1) (a) – lawfulness, fairness, and transparency principle;
- Article 5 (1) (b) – purpose limitation principle;
- Article 5 (1) (c) – data minimization principle;
- Article 6 – lawfulness of processing.
In addition to the fine, the Romanian DPA imposed a corrective measure, ordering the controller to remove the video surveillance cameras installed in the offices and dining room, for which there is no specific legal basis for processing the employees’ personal data in accordance with Article 6 of the GDPR.
This is not the first time that the Romanian DPA has imposed sanctions for unlawful audio-video monitoring of employees. Based on the available public information to date, the sanctions for non-compliance in this field range from a warning to EUR 5,000 fine (e.g., this case).
The press release is available here (only in Romanian).