On 21 October 2021, the Romanian DPA announced it sanctioned a tech provider with a EUR 5,000 fine for conducting audio-video surveillance of its employees without an appropriate legal basis for such processing.
The investigation was launched following the receipt of an affected data subject’s complaint alleging audio-video monitoring systems being installed at the workplace for the purpose of subsequently using the recordings against employees.
Following the investigation, the DPA concluded that the said controller was unable to demonstrate compliance with any of the legal basis applicable for such surveillance of employees, as well as the lawfulness, fairness, and transparency principle, thus breaching Articles 5 (1) (a) and 6 (1) of the GDPR.
In addition, the Romanian DPA imposed several corrective measures ordering the controller (i) to cease the processing operations performed via audio-video monitoring systems, (ii) to delete any records of personal data resulting from the said operations, and (iii) to bring the investigated operations into compliance with the GDPR requirements.
Moreover, the DPA emphasized that in cases where an employer uses surveillance monitoring systems for its legitimate interests under Article 6 (1) (f) of the GDPR, the additional requirements set out in Article 5 of Law No. 190/2018 implementing the GDPR have to be observed.
The press release is available here (only in Romanian).