# Case Study: A GDPR Fine in Romania

<span style="font-size: 10pt;">The following material is available on the website of the National Supervisory Authority for Personal Data Processing at: </span>[<span style="font-size: 10.0pt; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-font-kerning: 0pt; mso-ligatures: none;">https://www.dataprotection.ro/index.jsp?page=Comunicat\_Presa\_09.08.2022\_2&amp;lang=en</span>](https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_09.08.2022_2&lang=en)

**<span style="font-size: 10pt;"><span style="mso-spacerun: yes;"> </span></span>**

**<span style="font-size: 9pt;">The National Supervisory Authority finalized in July 2022 an investigation at the controller DN SRL and found the breach of the provisions of Article 12, Article 13, as well as those of Article 5 paragraph (1) letters a), b) and c), by reference to Article 5 paragraph (2) and Article 6 of the General Data Protection Regulation.</span>**

**<span style="font-size: 9pt;">Therefore, the controller was sanctioned as it follows:</span>**

- **<span style="font-size: 9.0pt; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-font-kerning: 0pt; mso-ligatures: none;">fine in amount of lei 4,945.1 (the equivalent of EUR 1,000)</span>**<span style="font-size: 9.0pt; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-font-kerning: 0pt; mso-ligatures: none;"> for the breach of the provisions of Articles 12-13 of the General Data protection Regulation;</span>
- **<span style="font-size: 9.0pt; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-font-kerning: 0pt; mso-ligatures: none;">fine in amount of Lei 7,417.65 (the equivalent of EUR 1,500)</span>**<span style="font-size: 9.0pt; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-font-kerning: 0pt; mso-ligatures: none;"> for the breach of the provisions of Article 5 paragraph (1) letters a), b) and c), by reference to Article 5 paragraph (2) and Article 6 of the General Data protection Regulation.</span>

<span style="font-size: 9pt;">At the same time, based on Article 58 paragraph (2) letter d) of the General Data Protection Regulation, the following **corrective measures** were taken against the controller:</span>

<span style="font-size: 8pt;"><span style="mso-list: Ignore;">1.<span style="font: 7.0pt 'Times New Roman';"> </span></span></span><span style="font-size: 9pt;">providing the information of the data subjects through the communication in a concise, transparent, intelligible and easily accessible form of all information provided under Article 13 of the General Data Protection Regulation and subject to the transparency conditions mentioned under Article 12 of the same Regulation;</span>

<span style="font-size: 8pt;"><span style="mso-list: Ignore;">2.<span style="font: 7.0pt 'Times New Roman';"> </span></span></span><span style="font-size: 9pt;">the elimination of the use of the video surveillance camera existing within the cosmetic room for which there is no specific legal ground for the processing of the clients’ personal data and of its employees according to Article 6 of the General Data Protection Regulation;</span>

<span style="font-size: 8pt;"><span style="mso-list: Ignore;">3.<span style="font: 7.0pt 'Times New Roman';"> </span></span></span><span style="font-size: 9pt;">ensuring the compliance of the personal data processing operations with the General Data Protection Regulation, through the implementation of some adequate technical ad organisational measures and the establishment of some adequate rules relating to the management of the images registered by the surveillance cameras;</span>

<span style="font-size: 8pt;"><span style="mso-list: Ignore;">4.<span style="font: 7.0pt 'Times New Roman';"> </span></span></span><span style="font-size: 9pt;">the interdiction of the remote access through internet to the images and registrations, as well as the access of the images and registrations solely in case of accident in relation to the purpose of the video surveillance cameras instalment.</span>

<span style="font-size: 9pt;">The investigation was started following an intimation through which a natural person noticed that there were data subjects, clients of **DN SRL**, which were under video surveillance during the performance of some cosmetic services.</span>

<span style="font-size: 9pt;">Within the investigation performed, it was found that the controller **DN SRL** holds a video surveillance system installed both inside, as well as outside the space where the controller carries out its activity, that monitors both the employees and clients.</span>

<span style="font-size: 9pt;">Also, it was found that the controller did not prove that it performed **a clear, complete and accurate information of its employees and of the data subjects whose personal data (respectively the image) are processed through the video surveillance cameras**, by communicating all the information provided under Article 13 of the General Data Protection Regulation and subject to the transparency conditions from Article 12 of the same regulation.</span>

<span style="font-size: 9pt;">At the same time, it resulted that **DN SRL** did not provided any proofs of some previous existing incidents in order to justify its legitimate interest that prevails over the interests or fundamental rights and freedoms of the data subjects. Therefore, it was found that the controller excessively processed the data (images) of its clients and employees, through the video camera installed in the location where the cosmetic treatments were performed. The data thus processed were not adequate, relevant and limited to what is necessary by reference to the purposes for which they were processed (“data minimisation”). The purpose declared by the controller could have been achieved through less intrusive means for the privacy of its clients and employees.</span>

<span style="font-size: 9pt;">Therefore, the breach of the provisions of Article 5 paragraph (1) letters a), b) and c) of the General Data Protection Regulation by reference to the conditions regarding the lawfulness of the processing established under Article 6 of the same regulation was found.</span>

<span style="font-size: 9pt;">Moreover, the controller was not able to prove the observance of the processing principles according to Article 5 paragraph (2) of the General Data Protection Regulation.</span>