On 27 December 2022, the Romanian DPA announced it sanctioned a major hypermarket chain with a 3,000 EUR fine for failure to ensure security of processing, including not ensuring that any natural person acting under its authority who has access to personal data does not process them except on its instructions.
The investigation was finalized in November 2022 and launched following a data breach notification submitted by the controller after it was notified by a data subject that a video of him/her in the parking lot of one of the hypermarket chain’s stores was published on a website of a local newspaper.
During the investigation, the Romanian DPA found that an employee had access to the video monitoring room, captured images of the video recordings using a personal mobile phone and sent them via WhatsApp to a third party. Subsequently, the images were posted by an online publication. As a result, the image and the car registration number were revealed and two people were affected by the incident.
The controller did not take steps to ensure that any natural person acting under its authority who has access to personal data only processed them at its request and did not take adequate measures to protect the data on an ongoing basis.
At the same time, the controller has failed to implement appropriate technical and organizational measures to ensure a level of confidentiality and security appropriate to the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
In addition to the fine, the Romanian DPA imposed a corrective measure, ordering the controller to implement instructions on prohibiting the use of employees’ personal devices (such as mobile phones, tablets) to record videos, take photos, upload, share them on WhatsApp or social networks.
The press release is available here (only in Romanian).