Sanction for the breach of GDPR
The National Supervisory Authority finalized in July 2022 an investigation at the controller Denmar Nacrut SRL and found the breach of the provisions of Article 12, Article 13, as well as those of Article 5 paragraph (1) letters a), b) and c), by reference to Article 5 paragraph (2) and Article 6 of the General Data Protection Regulation.
Therefore, the controller was sanctioned as it follows:
- fine in amount of lei 4,945.1 (the equivalent of EUR 1,000) for the breach of the provisions of Articles 12-13 of the General Data protection Regulation;
- fine in amount of Lei 7,417.65 (the equivalent of EUR 1,500) for the breach of the provisions of Article 5 paragraph (1) letters a), b) and c), by reference to Article 5 paragraph (2) and Article 6 of the General Data protection Regulation.
At the same time, based on Article 58 paragraph (2) letter d) of the General Data Protection Regulation, the following corrective measures were taken against the controller:
- providing the information of the data subjects through the communication in a concise, transparent, intelligible and easily accessible form of all information provided under Article 13 of the General Data Protection Regulation and subject to the transparency conditions mentioned under Article 12 of the same Regulation;
- the elimination of the use of the video surveillance camera existing within the cosmetic room for which there is no specific legal ground for the processing of the clients’ personal data and of its employees according to Article 6 of the General Data Protection Regulation;
- ensuring the compliance of the personal data processing operations with the General Data Protection Regulation, through the implementation of some adequate technical ad organisational measures and the establishment of some adequate rules relating to the management of the images registered by the surveillance cameras;
- the interdiction of the remote access through internet to the images and registrations, as well as the access of the images and registrations solely in case of accident in relation to the purpose of the video surveillance cameras instalment.
The investigation was started following an intimation through which a natural person noticed that there were data subjects, clients of Denmar Nacrut SRL, which were under video surveillance during the performance of some cosmetic services.
Within the investigation performed, it was found that the controller Denmar Nacrut SRL holds a video surveillance system installed both inside, as well as outside the space where the controller carries out its activity, that monitors both the employees and clients.
Also, it was found that the controller did not prove that it performed a clear, complete and accurate information of its employees and of the data subjects whose personal data (respectively the image) are processed through the video surveillance cameras, by communicating all the information provided under Article 13 of the General Data Protection Regulation and subject to the transparency conditions from Article 12 of the same regulation.
At the same time, it resulted that Denmar Nacrut SRL did not provided any proofs of some previous existing incidents in order to justify its legitimate interest that prevails over the interests or fundamental rights and freedoms of the data subjects. Therefore, it was found that the controller excessively processed the data (images) of its clients and employees, through the video camera installed in the location where the cosmetic treatments were performed. The data thus processed were not adequate, relevant and limited to what is necessary by reference to the purposes for which they were processed (“data minimisation”). The purpose declared by the controller could have been achieved through less intrusive means for the privacy of its clients and employees.
Therefore, the breach of the provisions of Article 5 paragraph (1) letters a), b) and c) of the General Data Protection Regulation by reference to the conditions regarding the lawfulness of the processing established under Article 6 of the same regulation was found.
Moreover, the controller was not able to prove the observance of the processing principles according to Article 5 paragraph (2) of the General Data Protection Regulation.
Legal and Communication Department