20.06.2022
Sanction for the breach of GDPR
The National Supervisory Authority finalized, on 27.05.2022, an investigation at the controller Owners’ Association Aviatiei Park, following which it was found the breach of the General Data Protection Regulation (GDPR), the controller being sanctioned with fine as it follows:
- Fine in amount of Lei 9,885.80, the equivalent of EUR 2,000 for the breach of the provisions of Article 5 paragraph (1) letters a) and c) and paragraph (2) by reference to Article 6 of the GDPR, as the controller excessively processed the personal data (name, surname, series and number of the identity card, destination, arrival hour, departure hour, observations) of the deliverers and/or couriers as data subjects, without a justified legal basis by reference to the purpose of the processing (the control of the access within the residential complex) and without presenting proofs that it ensures the correct and complete information of the data subjects, as well as the fact that the data processed are adequate, relevant and limited to what is necessary in relation to the purpose of the processing;
- Fine in amount of Lei 24,714.50, the equivalent of EUR 5,000 for the breach of the provisions of Article 5 paragraph (1) letter e) and paragraph (2) of the GDPR, as the controller did not establish a period of storage for the personal data processed through the video surveillance system (the images) and stored them for a period longer than the one necessary for the fulfillment of the purpose for which they are processed, respectively the control of the access within the building, although it had the obligation to keep the images under a form that would allow the identification of the data subjects for a period that does not exceed the period necessary for the fulfillment of the purposes for which the data are processed.
Also, based on Article 58 paragraph (2) letter d) of the GDPR, the following corrective measures were taken against the controller:
- The review and update of the technical and organizational measures implemented following the evaluation regarding the risk for the rights and freedoms of the persons, including of the procedures on the protection of personal data and the establishment of some deadlines for the retention of the data under a form that allows the identification of the data subjects for a period that does not exceed the period necessary for fulfilling the purposes for which the data are processed.
- The evaluation of the processing performed taking into account the proportionality principle and the data minimization principle by reference to the purpose and legal basis of the processing and the implementation of the necessary measures for the observance of the principles regarding the personal data processing provided under Article 5 GDPR.
The investigation was started following an intimation, through which a possible breach of the GDPR provisions was reported, given that the representatives of the security company were collecting and processing the personal data for the purpose of the persons’ access at the entry in the residential complex, purpose for which they requested various personal data to the persons entering the complex and were writing them within an internal registry.
From the investigation it resulted that the processing of the data for the purpose of access in the residential complex was performed according to a security service agreement concluded between the owners’ association (the controller) and the security company (the processor), through which the association mandated the security company to ensure the safeguard and protection of the objective through security agents and to fill in the evidence registry for the access of persons. In this respect, the controller issued for the processor the instruction according to which the agents rendering the security services fill in the Evidence Registry for Persons’ Access with the personal data mentioned within its sections, respectively name, surname, series and number of the identity card, destination, arrival hour, departure hour, observations, exclusively for the delivery and/or courier services.
Also, within the investigation it was found that at the level of the residential complex the control of the access was performed also through the video surveillance system, and the Owners’ Association could not prove the observance of the data storage limitation principle, provided under Article 5 letter e) of the GDPR, respectively establishing appropriate storage terms of the images, finding the existence of images stored with approximately one and a half year before.
In this context, we underline that according to Article 4 point 7 of the GDPR, the controller determined the purpose and processing means, and according to Article 28 paragraph (3) letter a) of the GDPR the processor processes the data solely based on some documented instructions from the controller.
We also remind the fact that according to Article 5 of the GDPR, the controller shall observe the data processing principles, among which those regarding the “lawfulness, fairness and transparency”, “data minimization” and “storage limitation”. At the same time, the controller is responsible for the observance of the principles and shall prove this observance (“accountability principle”).
Legal and Communication Department
ANSPDCP