On 9 August 2022, the Romanian DPA announced it sanctioned three controllers as per the following:
- a fine amounting to EUR 1,000 imposed against a beauty salon for breaching Articles 12 and 13 of the GDPR and another EUR 1,500 for failing to comply with several data protection principles, including the lawfulness of processing, while video monitoring its employees and clients. Additionally, the DPA applied certain corrective measures. It is worthy to note that the DPA underlined that the controller did not provide evidence of previously existing incidents justifying its legitimate interests overriding the interests or fundamental rights and freedoms of the data subjects concerned. The press release is available here (only in Romanian);
- a fine amounting to EUR 1,000 imposed against a construction company for processing without a legal ground an employee’s personal data for their registration on the national vaccination platform, as well as for breaching other data protection principles. The press release is available here (only in Romanian);
- a fine amounting to EUR 7,000 imposed against a passenger transport company for not providing in due time the information requested during a DPA investigation. Additionally, the DPA applied a warning for breaching Article 12 (1) of the GDPR. It is of particular importance that the amount of the fine is significantly higher as compared to the other fines imposed by the authority. The press release is available here (only in Romanian).