Home » Comunicat_Presa_29_12_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

29.12.2025

Sanction for infringing the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in November 2025, an investigation at the controller Ordinul Asistenților Medicali Generaliști, Moașelor și Asistenților Medicali din România – Filiala Neamț and found a violation of the provisions of Article 5 paragraph (1) letter a), Article 6, Article 32 paragraph (1), Article 12 and Article 13 of the General Data Protection Regulation (GDPR).

As such, the controller was sanctioned as follows:

  • fine in the amount of 10,177 lei, the equivalent of 2,000 euros for violating the provisions of Article 5 paragraph (1) letter a) and Article 6 of the GDPR;
  • reprimand for violating the provisions of Article 32 paragraph (1) of the GDPR;
  • reprimand for violating the provisions of Article 12 and Article 13 of the GDPR.

The investigation was initiated following a complaint by the petitioner claiming that the controller had installed a video surveillance camera facing the office where he worked, as well as the fact that he had not been informed about the existence of the video surveillance system.

During the investigation, the National Supervisory Authority found that the controller had processed the image of its employees and students, through video surveillance cameras installed in the offices and in the classroom, without providing proof that it had carried out prior consultation with the employees/union before installing and putting into operation the video surveillance system at the workplace.

It was also found that the controller did not prove that other less intrusive forms and methods for achieving the purpose pursued by the employer had not previously proven their effectiveness and that the controller did not implement adequate technical and organizational measures to ensure the security and confidentiality of personal data processed through the video surveillance system.

Furthermore, during the investigation it was also found that the controller did not present evidence showing that it had fully informed the data subjects about the processing of data through the video surveillance system, which constitutes a violation of the provisions of Articles 12 and 13 of the GDPR.

At the same time, the controller was ordered to take the following corrective measures:

  • to eliminate the use of the video surveillance system installed in offices and in the classroom, for which there is no express legal basis for processing the personal data of its employees, in relation to Articles 5 and 6 of the GDPR;
  • to ensure the full information to data subjects, in relation to all activities involving the processing of personal data, by providing all the information provided for in Articles 13 and 14 of the GDPR, as appropriate, as well as in compliance with the conditions provided for in Article 12 of the GDPR;
  • to implement appropriate technical and organizational security measures for all processing of personal data, in particular for processing carried out through video surveillance cameras, in accordance with Articles 24, 29 and 32 of the GDPR;
  • to take the necessary measures so that, in the future, the compliance of processing operations with the provisions of the GDPR is ensured, namely that video cameras installed outside the building record images only from the perimeter belonging to the controller, and not from the public domain.

We mention that the controller has paid the fine imposed.

 

Legal and Communication Department

A.N.S.P.D.C.P