Home » Comunicat_Presa_26.06.2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

26.06.2025

Sanctions for infringing the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in May 2025, an investigation at the controller SC Piramida Trade Invest SRL and found the breach of Article 5 paragraph (1) letter a) and of Article 6 paragraph (1), Article 12 paragraph (3), Article 15, Article 17, Article 21 and Article 32 paragraph (1) letter b) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with:

  • fine of 10,146 lei (the equivalent to 2,000 euros) for the infringement of Article 5 paragraph (1) letter a) and of Article 6 paragraph (1) of Regulation (EU) 2016/679;
  • fine of 5,073 lei (the equivalent to 1,000 euros) for the infringement of Article 12 paragraph (3), Article 15, Article 17 and Article 21 of Regulation (EU) 2016/679;
  • reprimand for the infringement of Article 32 paragraph (1) letter b) of Regulation (EU) 2016/679.

The investigation was initiated following a complaint submitted by a natural person reporting possible violations of the processing of personal data regarding the monitoring of employees through audio-video surveillance systems.

During the investigation, the National Supervisory Authority for Personal Data Processing found that the controller did not provide mandatory, complete and explicit prior information to its employees. At the same time, it did not provide evidence that it had previously used other less intrusive forms and methods to achieve the intended purpose. Consequently, the personal data were not processed in a lawful, fair and transparent manner towards the data subject (“legality, fairness and transparency”), which constitutes a violation of the provisions of Article 5 paragraph (1) letter a) and Article 6 of Regulation (EU) 2016/679 and is punishable by a fine of 2,000 euros.

At the same time, during the investigation it emerged that the controller did not provide proof that it had responded to the data subject’s requests, from a certain period, to exercise the rights of access, erasure and to object, within one month of their receipt. In addition, the employer did not provide the copy of the audio-video recordings from that period that was requested by the employee. Therefore, this situation represents a violation of the provisions of Article 12 paragraph (3), Article 15, Article 17 and Article 21 of Regulation (EU) 2016/679 and the controller was sanctioned with a fine of 1,000 euros.

During the investigation it was also found that the company had allowed the installation, without the knowledge of the controller, of a filter for forwarding messages from one email address to another email address. This led to the disclosure of documents of a data subject (which included medical documents) to persons outside the company. As such, the controller did not prove that it had adopted appropriate technical and organizational measures to ensure the confidentiality, integrity, availability and continuous resilience of personal data processing systems and services, which is a violation of the provisions of Article 32 paragraph (1) letter b) of Regulation (EU) 2016/679. For this act, the controller was sanctioned with a reprimand.

At the same time, pursuant to the provisions of Article 58 paragraph (2) letters c) and d) of Regulation (EU) 2016/679, the following corrective measures were also ordered:

  • to take the necessary measures so that, in the future, the compliance of processing operations with the provisions of Regulation (EU) 2016/679 is ensured, namely that the video cameras installed outside the building record images only from the perimeter of the company Piramida Trade Invest SRL. At the same time, it was ordered to eliminate the use of video surveillance cameras installed in offices, in the warehouse and in the production hall, for which there is no express legal basis for processing according to Article 6 of Regulation (EU) 2016/679;
  • to provide full information to all data subjects, in relation to all activities involving the processing of personal data, by providing all the information provided for in Articles 13 and 14 of Regulation (EU) 2016/679, as appropriate, and in compliance with the conditions provided for in Article 12 of Regulation (EU) 2016/679;
  • to adopt internal procedures regarding the manner of handling requests submitted by data subjects pursuant to the provisions of Articles 12-22 of Regulation (EU) 2016/679, complying in all cases with the applicable provisions regarding the assessment and handling of these requests without delay and the communication of responses to data subjects within the legal deadlines, as well as regular training of the controller’s employees in this regard;
  • to ensure compliance of personal data processing operations with Regulation (EU) 2016/679 for the purpose of implementing an appropriate internal policy for identifying risks, assessing them and notifying the National Supervisory Authority in the event of a security breach, under the conditions provided for in Article 33 paragraph (1) of Regulation (EU) 2016/679, including in terms of appropriate training of persons who process data under the authority or on behalf of Piramida Trade Invest SRL (employees, collaborators, authorized persons, etc.);
  • to send a response to the data subject to requests for exercising the right of access, to object and of erasure requested by the data subject.

 

Legal and Communication Department

A.N.S.P.D.C.P