The National Supervisory Authority for the Processing of Personal Data completed in October 2024 an investigation at the operator UP ROMÂNIA SRL and found a violation of the provisions of art. 5 paragraph (1) a), c) and para. (2) and art. 6 of Regulation (EU) 2016/679 , in conjunction with art. 5 a)-d) from Law no. 190/2018, as well as the violation of the provisions of art. 5 para. (1) e) and para. (2) of Regulation (EU) 2016/679 , in conjunction with art. 5 of Law no. 190/2018.

As such, the operator was sanctioned:

• with a fine of 19,898.4 Ron (the equivalent of 4,000 Euros) for violating the provisions of art. 5 paragraph (1) a), c) and para. (2) and art. 6 of Regulation (EU) 2016/679 , in conjunction with art. 5 a)-d) from Law no. 190/2018 ;
• with a warning for violating the provisions of art. 5 para. (1) lit. e) and para. (2) of Regulation (EU) 2016/679 , in conjunction with art. 5 of Law no. 190/2018.

The investigation was launched following a complaint by a natural person regarding a possible violation of Regulation (EU) 2016/679.

During the investigation, it was found that the operator processed the personal data of his employee, data collected through the GPS monitoring system installed on the company car, while he was outside the working hours, including during vacation periods.

Thus, the processing of the data related to the identification and its location during the employee’s free time, was carried out without a legal basis and in violation of the principles of personal data processing, regarding legality and transparency as well as the reduction of data to a minimum.

At the same time, it was found that this situation affected several employees of the operator, who were in a similar situation.

As such, this situation represents a violation of the provisions of art. 5 paragraph (1) lit. a), c) and para. (2) and art. 6 of Regulation (EU) 2016/679, in conjunction with art. 5 a)-d) from Law no. 190/2018.

Also during the investigation it was found that the operator stored, unjustifiably, for periods exceeding the legal term of 30 days, the data of the employees through the GPS monitoring system installed on the company cars, being violated the provisions of art. 5 para. (1) e) and para. (2) in conjunction with art. 5 of Law no. 190/2018.

At the same time, based on the provisions of art. 58 para. (2) b) from Regulation (EU) 2016/679, the following corrective measures were ordered against the operator :

• to ensure compliance with Regulation (EU) 2016/679, of the operations of collection and further processing of personal data, by reassessing the need to achieve the proposed goals by using data from the use of the GPS monitoring system installed on the company cars of the operator’s employees, by referring to the obligations provided by Regulation (EU) 2016/679 and Law no. 190/2018.
• to ensure compliance with Regulation (EU) 2016/679, of the operations of collection and further processing of personal data, by limiting the data storage period by reference to the purposes of data processing and removing excessively stored/processed data from the record system.

https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_13_11_2024&lang=ro