Sanction for the breach of GDPR
During February 2022, the National Supervisory Authority finalised an investigation at the controller IAMSAT Muntenia SA and found the breach of the provisions of Article 12, Article 13 and Article 21 of the General Data Protection Regulation.
The controller was sanctioned, as it follows:
- with a fine, in amount of Lei 9,892.4, the equivalent of EUR 2,000, for the breach of the provisions of Articles 12-13 of the General Data Protection Regulation;
- fine in amount of Lei 4,946.2, the equivalent of EUR 1,000, for the breach of the provisions of Article 12 paragraph (3) and Article 21 of the General Data Protection Regulation.
The investigation was started following a complaint submitted by a data subject that claimed that IAMSAT Muntenia SA continued to process his/her personal data after the termination of the employment agreement, in 2020. Through a request, this person brought to the knowledge of the controller that he/she does not give his/her consent for the use of his/her e-mail address and is opposing to the processing of his/her personal data by IAMSAT Muntenia SA and/or third parties natural or legal persons, after the termination of the employment agreement.
Within the investigation performed, it was noted that IAMSAT Muntenia SA did not submit proofs regarding the prior and complete information of its employees, including of the data subject, before starting the processing of the personal data of these persons through video surveillance means installed at their workplace, put into function from the 2020 mid-year, although the controller has the obligation to inform the employees according to Article 12-13 of the General Data Protection Regulation.
Also, it was found that IAMSAT Muntenia SA did not handle the request of the data subject and did not communicate an answer regarding the measures taken following the exercise of the right to object within the legal deadlines, according to the provisions of Article 12 paragraph (3) corroborated with the provisions of Article 21 of the General Data Protection Regulation.
At the same time, within the investigation two corrective measures were applied to the controller, as it follows:
- the corrective measure to ensure the compliance with the General Data Protection Regulation of the personal data processing operations, by ensuring a complete information of the data subjects, specifically of the controller’s employees, in relation to the use of the video-surveillance system, by reference to the obligations provided under Article 12-13 of the General Data Protection Regulation;
- the corrective measure to provide an answer to the data subject to his/her request, that would contain the measures taken subsequent to the exercise of the right to object, by reference to the provisions of Article 12 and 21 of the General Data Protection Regulation.
Legal and Communication Department