Home » Comunicat_Presa_27_12_2022
 Română | English | Francais



Sanction for the GDPR infringement


The National Supervisory Authority finalized in November 2022 an investigation at the controller Kaufland România SCS and found the breach of the provisions of Article 29 and Article 32 paragraph (1) letter b) and paragraph (2) and paragraph (4) from the Regulation (EU) 2016/679.

Therefore the controller Kaufland România SCS was sanctioned with a fine in amount of Lei 14,779.80 (the equivalent of EUR 3,000).

The investigation was started following a data security breach notification submitted by the controller based on the provisions of Regulation (EU) 2016/679.

Therefore, the controller Kaufland România SCS was informed by a data subject on the fact that a video footage containing images with him/her from the parking of one of the stores held by this commercial network appeared on the webpage of a local newspaper.

Within the investigation performed, it resulted that the store manager allowed the access of an employee within the monitoring room, that captured, with the personal mobile phone, images of the video recordings that were displayed and that were provided through WhatsApp to a third party.

Therefore, the image and the registration number of the vehicle were disclosed, two data subjects being therefore affected by this incident.

It was fount that the controller did not take measure in order to ensure that any natural person acting under its authority and that has access to personal data processes them only at its request and did not take adequate measures in order to continuously protect the data.

Also, it did not implement adequate technical and organisational measures in order to ensure a level of confidentiality and security corresponding to the processing risk generated specifically by the accidental or illegal destruction, loss, modification, unauthorized disclosure or unauthorized access to the personal data provided, stored or otherwise processed.  

At the same time, based on the provisions of Article 58 paragraph (2) of Regulation (EU) 2016/679 it also the corrective measure to implement instructions for the ban of the use of personal equipment of the employees (such as mobile phone, tablets) in order to record/take photos/download/distribute video records by using WhatsApp or social networks was ordered to the controller.


Legal and Communication Department