On 20 June 2022, the Romanian DPA announced it sanctioned an Owners Association with a two fines amounting in total to EUR 7,000 for non-compliance with the GDPR principles.
The investigation was launched following the receipt of an affected data subject’s complaint reporting that several categories of data were being collected and processed for the purpose of giving access to the persons entering the residential complex, such data being kept in an internal register.
During the investigation, the Romanian DPA found that the processing of data was carried out in accordance with a security service contract concluded between the Owners’ Association (controller) and the security company (processor), whereby the former mandated the security company to ensure the security and protection of the premises by security guards and to complete the register of access records with the personal data mentioned in its fields, i.e., name, surname, series and number of identity card, destination, time of arrival, time of departure, remarks, exclusively for delivery and/or courier services. Access control at the residential complex was also carried out by means of a video surveillance system.
Therefore, the company was sanctioned as follows:
- with a fine of EUR 2,000 for excessive processing of personal data of deliverers and/or couriers as data subjects (name, surname, ID card number and series, destination, time of arrival, time of departure, remarks) without a justified legal basis in relation to the purpose of the processing; without providing evidence that the controller has fully and correctly informed the data subjects and without proving that the data processed are adequate, relevant and limited to what is necessary in relation to the purpose of the processing;
- with a fine of EUR 5,000 for failing to set a storage period for the personal data processed through video surveillance and storing the data for a longer period than necessary to fulfil the purpose for which they are processed (i.e., access control in the establishment).
In addition to the fine, the Romanian DPA imposed the following corrective measures:
- Review and update of the technical and organisational measures implemented following the assessment of the risk to the rights and freedoms of individuals, including the procedures relating to the protection of personal data, and establishment of time limits for the retention of data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.
- Assessment of the processing carried out, taking into account the principle of proportionality and data minimization in relation to the purpose and legal basis of the processing and implementation of the necessary measures to comply with the principles relating to the processing of personal data laid down in Article 5 of the GDPR.
The press release is available here (only in Romanian).