23.03.2023
Sanction for the GDPR infringement
The National Supervisory Authority finalized in February this year an investigation at the controller Tehnoplus Industry SRL within which it found the breach of the provisions of Article 5 paragraph (1) letters a), c), e) and paragraph (2), as well as of Article 6 of the General Data Protection Regulation (GDPR).
Therefore, the company Tehnoplus Industry SRL was sanctioned as it follows:
- with fine in amount of Lei 14,697.9, the equivalent of Eur 3,000 for the breach of the provisions of Article 5 paragraph (1) letters a), c) and e) and paragraph (2) and Article 6 of the GDPR;
- fine in amount of Lei 9,798.6, the equivalent of Eur 2,000 for the bReach of the provisions of Article 5 paragraph (1) letter e) and paragraph (2) of the GDPR.
The investigation took place following a complaint through which it was claimed that the controller processed the personal data of the claimant through the GPS system installed on his work car, without being informed in relation to the monitoring of the vehicle, the purpose and legal basis for this processing and the storage duration of the data thus collected.
Also, the claimant argued that the information extracted from the GPS system were used by the controller for another purpose than the one of monitoring the work car allocated to him.
Within the investigation performed it was found that Tehnoplus Industry SRL processed excessively (outside the working hours) the location data corresponding to the claimant, employee of the controller, through the GPS monitoring system installed on his work car, without being able to prove that previously it exhausted other methods less intrusive for achieving the purpose of the processing and without proving the full information of the claimant in relation to the processing of the data through the GPS system, thus breaching the provisions of Article 5 paragraph (1) letters a), c) and of Article 6 of the GDPR.
Also, it was found that the controller stored the data from the above-mentioned system after the expiry of the storage duration, without presenting evidence from which to result that exceeding the 30 days deadline provided under Article 5 of Law no. 190/2018 is based on justified reasons, thus breaching the provisions of Article 5 paragraph (1) letter e) and paragraph (2) of the GDPR.
Also, it was found that the controller used the claimant’s data from the GPS system for another purpose than the one for which it has collected them initially.
At the same time, based on Article 58 paragraph (2) letter d) of the GDPR, the following were ordered against Tehnoplus Industry SRL:
- The corrective measure to ensure the compliance with the GDPR of the collecting and subsequent processing of personal data operations, through the reevaluation of the necessity to achieve the purposes proposed through the use of the location data from the GPS monitoring system installed on the work vehicles of the controller’s employees and the avoidance of excessive collecting of data, by reference to the obligations provided under the GDPR and Law no. 190/2018;
- The corrective measure to ensure the compliance with the GDPR of the collecting and subsequent processing of personal data operations, by limiting the storage period by reference to the purposes of the data processing, according to the obligations provided under GDPR and Law no. 190/2018.
Legal and Communication Department
A.N.S.P.D.C.P.