On the 13th of December 2019, the National Supervisory Authority finalised an investigation at the controller Entirely Shipping & Trading S.R.L., ascertaining the following:
the infringement of provisions of Articles 12 and 13 of the General Data Protection Regulation (GDPR);
the infringement of Article 5 paragraph (1) letter c), Article 6 and Article 7 of GDPR;
the infringement of Article 5 paragraph (1) letter c), Article 9 and Article 7 of GDPR;
the infringement of Article 5 paragraph (1) letters a), b) and e) and Article GDPR.
The controller Entirely Shipping & Trading S.R.L. was sanctioned as follows:
reprimand for the infringement of the dispositions of Articles 12 and 13 of GDPR, whereas the controller did not provide evidence to show that it provided clear, complete and correct information to the data subjects;
fine in the amount of 23893 lei, the equivalent of 5000 euros for the infringement of provisions of Article 5 paragraph (1) letter c), Article 6 and Article 7 of GDPR, whereas the controller processed in an excessive way the personal data (image) of its employees through the video cameras installed in the offices where they carry out their activity and in the places where there are cabinets where the employees store their spare clothes (changing rooms);
fine in the amount of 23893 lei, the equivalent of 5000 euros for the infringement of provisions of Article 5 paragraph (1) letter c), Article 9 and Article 7 of GDPR, whereas the controller processed biometric data (fingerprints) of the employees and other means, which are less intrusive for the privacy of data subjects, may be used to achieve this purpose;
reprimand for the infringement of the dispositions of Article 5 paragraph (1) letters a), b) and e) of GDPR whereas the controller illegally processed the personal data of a former employee by using them in the correspondence through electronic mail, in order to carry out the activity of the company, after the termination of the contractual relationship with him.
The sanctions were applied following a complaint claiming that Entirely Shipping & Trading S.R.L. installed audio-video surveillance cameras in employees’ offices, changing rooms and in the dining room and that, in certain locations (restricted access spaces), access was based on fingerprints.
It was also claimed that the controller used the identity of a former employee for the transmission of e-mails in the interest of the business without the latter having been informed in advance.
In the investigation, the following were found:
the controller did not prove a justified legitimate interest for the instalment of the video surveillance system at its premises which would prevail over the interests or fundamental rights and freedoms of the data subjects, did not prove the consultation of the trade union or, as the case may be, the representatives of the employees before the introduction of the monitoring systems, as well as the fact that other less intrusive ways and modalities for achieving the purpose pursued by the employer have not previously proved their effectiveness;
the operator has not demonstrated the existence of adequate data protection policies and the implementation of appropriate technical and organisational measures to ensure a level of security appropriate to this risk;
the biometric data processed through the access control system was not collected for purposes adequate, relevant and limited to what was necessary in relation to the purposes for which they were processed;
the controller did not carry out a data protection impact assessment.
At the same time, the following corrective measures have been imposed to the controller:
corrective measure to ensure the correct information of the data subjects by communicating in a concise, transparent, intelligible and easily accessible form all the information provided by Article 13 of the GDPR and under the conditions of transparency mentioned in Article 12 of the GDPR, as well as to modify the documents by which the information is currently achieved;
corrective measure to ensure the compliance of personal data processing operations within the activity of video monitoring, by observing the principle of “data minimisation”;
corrective measure to ensure the compliance of personal data processing operations within the activity of access control, by observing the principle of “data minimisation”;
corrective measure to ensure the compliance of the personal data processing operations with the provisions of the GDPR, by developing a security policy and implementing appropriate technical and organisational measures in order to ensure a level of security appropriate to the risks.
For further information, please contact the Romanian Supervisory Authority: firstname.lastname@example.org
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.