The National Supervisory Authority for the Processing of Personal Data completed, in November 2024, an investigation at the operator Compania de Transport Public Cluj-Napoca SA and found a violation of art. 5 para. (1) let. a), b), c), para. (2) and art. 6 , in conjunction with art. 5 let. a)-d) of Law no. 190/2018, in relation to the provisions of art. 83 para. (5) let. a) of Regulation (EU) 2016/679 .
As such , the operator was fined 19,902 lei, the equivalent of 4,000 euros.
The investigation was initiated following a complaint indicating that, at the level of the Cluj-Napoca Public Transport Company SA, audio-video surveillance cameras are installed in the driver’s cabin of vehicles, directed towards the driver, with the possibility of remote online monitoring.
During the investigation, it was found that the operator illegally processed the personal data of a large number of employees working as drivers, respectively the image and voice through the audio-video surveillance system installed inside the driver’s cabins of public transport vehicles (trolleybuses and buses), in violation of the provisions of art. 5 para. (1) let. a), b), c), para. (2) and art. 6 of Regulation (EU) 2016/679, in conjunction with art. 5 let. a)-d) of Law no. 190/2018.
Thus, over a period of several years, the processing of personal data of data subjects (employees) in the context of employment relationships was carried out by the operator in violation of the principles of personal data processing, regarding legality, legitimacy and limited to what is necessary in relation to the purposes for which the data are processed.
It was also found that the images and sounds captured by the surveillance cameras were used by the operator for other purposes, including to the detriment of employees, within the framework of investigation and disciplinary sanction procedures.
At the same time, it was noted that this method of processing personal data through the surveillance system installed in public transport may, due to its illegal and excessive nature, also affect other categories of data subjects (passengers), in terms of collecting their sounds/voices through the installed cameras.
The corrective measure was also ordered against the operator to ensure compliance with Regulation (EU) 2016/679 of the collection and further processing of personal data, by reassessing the need to achieve the proposed purposes, on the one hand, by using audio-video surveillance cameras installed inside the driver’s cabins of public transport vehicles, and on the other hand, by using the audio option of the surveillance cameras installed in public transport vehicles, in accordance with the principles and conditions of legality provided for by the Regulation and Law no. 190/2018.
In this context, we reiterate that art. 5 of Law no. 190/2018, provides:
“Processing of personal data in the context of employment relationships
If monitoring systems are used by electronic means of communication and/or by means of video surveillance at the workplace, the processing of employees’ personal data, for the purpose of achieving the legitimate interests pursued by the employer, is permitted only if:
a) the legitimate interests pursued by the employer are well justified and prevail over the interests or rights and freedoms of the data subjects;
b) the employer has carried out the mandatory, complete and explicit prior information of the employees;
c) the employer consulted the trade union or, as the case may be, the employee representatives before introducing the monitoring systems;
d) other less intrusive forms and methods for achieving the goal pursued by the employer have not previously proven their effectiveness; and
e) the duration of storage of personal data is proportional to the purpose of processing, but not longer than 30 days, except in situations expressly regulated by law or in duly justified cases.”
https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_12.12.2024&lang=ro