On the 13th of December 2019, the National Supervisory Authority finalised an investigation at the controller Entirely Shipping & Trading S.R.L., ascertaining the following:
the infringement of provisions of Articles 12 and 13 of the General Data Protection Regulation (GDPR);
the infringement of Article 5 paragraph (1) letter c), Article 6 and Article 7 of GDPR;
the infringement of Article 5 paragraph (1) letter c), Article 9 and Article 7 of GDPR;
the infringement of Article 5 paragraph (1) letters a), b) and e) and Article GDPR.
The controller Entirely Shipping & Trading S.R.L. was sanctioned as follows:
reprimand for the infringement of the dispositions of Articles 12 and 13 of GDPR, whereas the controller did not provide evidence to show that it provided clear, complete and correct information to the data subjects;
fine in the amount of 23893 lei, the equivalent of 5000 euros for the infringement of provisions of Article 5 paragraph (1) letter c), Article 6 and Article 7 of GDPR, whereas the controller processed in an excessive way the personal data (image) of its employees through the video cameras installed in the offices where they carry out their activity and in the places where there are cabinets where the employees store their spare clothes (changing rooms);
fine in the amount of 23893 lei, the equivalent of 5000 euros for the infringement of provisions of Article 5 paragraph (1) letter c), Article 9 and Article 7 of GDPR, whereas the controller processed biometric data (fingerprints) of the employees and other means, which are less intrusive for the privacy of data subjects, may be used to achieve this purpose;
reprimand for the infringement of the dispositions of Article 5 paragraph (1) letters a), b) and e) of GDPR whereas the controller illegally processed the personal data of a former employee by using them in the correspondence through electronic mail, in order to carry out the activity of the company, after the termination of the contractual relationship with him.
The sanctions were applied following a complaint claiming that Entirely Shipping & Trading S.R.L. installed audio-video surveillance cameras in employees’ offices, changing rooms and in the dining room and that, in certain locations (restricted access spaces), access was based on fingerprints.
It was also claimed that the controller used the identity of a former employee for the transmission of e-mails in the interest of the business without the latter having been informed in advance.
In the investigation, the following were found:
the controller did not prove a justified legitimate interest for the instalment of the video surveillance system at its premises which would prevail over the interests or fundamental rights and freedoms of the data subjects, did not prove the consultation of the trade union or, as the case may be, the representatives of the employees before the introduction of the monitoring systems, as well as the fact that other less intrusive ways and modalities for achieving the purpose pursued by the employer have not previously proved their effectiveness;
the operator has not demonstrated the existence of adequate data protection policies and the implementation of appropriate technical and organisational measures to ensure a level of security appropriate to this risk;
the biometric data processed through the access control system was not collected for purposes adequate, relevant and limited to what was necessary in relation to the purposes for which they were processed;
the controller did not carry out a data protection impact assessment.
At the same time, the following corrective measures have been imposed to the controller:
corrective measure to ensure the correct information of the data subjects by communicating in a concise, transparent, intelligible and easily accessible form all the information provided by Article 13 of the GDPR and under the conditions of transparency mentioned in Article 12 of the GDPR, as well as to modify the documents by which the information is currently achieved;
corrective measure to ensure the compliance of personal data processing operations within the activity of video monitoring, by observing the principle of “data minimisation”;
corrective measure to ensure the compliance of personal data processing operations within the activity of access control, by observing the principle of “data minimisation”;
corrective measure to ensure the compliance of the personal data processing operations with the provisions of the GDPR, by developing a security policy and implementing appropriate technical and organisational measures in order to ensure a level of security appropriate to the risks.
For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro