The Romanian DPA fines controller for breaches of GDPR requirements related to GPS monitoring

23.03.2023

On 23 March 2023, the Romanian DPA announced that it had fined a controller with:

EUR 3,000 for failure (i) to comply with the principles of lawfulness, fairness and transparency, data minimization, storage limitation and accountability (Article 5(1)(a), (c), (e) and (2) of the GDPR) and (ii) to ensure the lawfulness of processing (Article 6 of the GDPR)

EUR 2,000 for failure to comply with the principles of storage limitation and accountability (Article 5(1)(e) and (2) of the GDPR).

The investigation was initiated following a complaint received by the Romanian DPA from an employee of the controller. The complainant alleged that the controller had processed his/her personal data through the GPS installed in the company vehicle used by the complainant without informing him/her about the monitoring, the purpose and legal basis of such processing, and the duration of storage of the personal data collected.

The complainant also alleged that the controller used the information collected using the GPS for another purpose than monitoring the company vehicle used by the complainant.

The Romanian DPA found that the controller:

excessively processed (outside working hours) the complainant’s location data using the GPS installed in the company vehicle used by the complainant, without having demonstrated that it had previously exhausted other less intrusive methods to achieve the purpose of the processing and without having demonstrated that the complainant had been fully informed of the processing

stored the personal data for more than 30 days required by Article 5 of Law No. 190/2018 without providing evidence that exceeding the period was based on legitimate reasons

used the complainant’s personal data collected using the GPS for another purpose than that for which the personal data have originally been collected.

The Romanian DPA also imposed two corrective measures on the controller, namely:

to reassess the necessity of the processing in view of the requirements under the GDPR and Law No. 190/2018

to store the personal data only for the necessary period with reference to the purposes of the processing, in accordance with the requirements under the GDPR and Law No. 190/2018.

The press release is available here (only in Romanian).

Tags:Accountabilitydata minimizationDPA investigationGDPR fineGDPR principlesstorage limitationUpdate

-                                        Number of fines
-                                        Highest fine
+,000 €
-                                        Lowest fine
+€
-                                        Total amount of fines
+,000 €
-                                        Number of corrective measures
-                                        Number of fines triggered by data breach notifications
-                                        Number of fines triggered by complaints
-                                        Legal provisions mentioned in press releases
+                                        Article 24 (1), Article 32 (1) b), d), (2) of GDPR, Article 18 (2) of Law 102/2005

Dismissal of the data protection officer

Minimum data protection checklist on future law on whistleblowing protection

Introducing NIS 2 – main things to know and follow

Iurie Cojocaru

Partner, Head of the Data Protection practice

Roxana Ionescu

(1981-2023)

Statistics

Subscribe to NNDKP’s newsletters

Statistics

More In the spotlight

Statistics

Subscribe to NNDKP’s newsletters