Romanian public authorities sanctioned for GDPR breaches
As factual background, the personnel of local police (in 4th District of Bucharest, respectively Cluj Napoca) processed personal data (i.e. image and voice) using portable audio - video surveillance means (i.e. "Badge" audio-video surveillance means, respectively "Body-Worn" portable audio-video systems), within the exercise of specific missions and activities.
The ANSPDCP investigation started in both cases following a referral alleging the breach of data protection legislation. The Romanian supervisory authority found that the analyzed data processing was carried out without a legal obligation on the controller, respectively lacking an underlying legal provision to this end. Therefore, the ANSPDCP concluded that the personal data were not processed lawfully, fairly and transparently, and the conditions laid down in Article 5(1)(a) and Article 6(1) of the GDPR were not observed.
Both public authorities were sanctioned by the Romanian Data Protection Authority with a warning, accompanied by the corrective measure (as included in the remediation plan) to ensure that for the future the data processing operations carried out using the abovementioned audio-video surveillance means comply with the provisions of Articles 5 and 6 of the GDPR.
We note that, based on the GDPR provisions allowing EU Member States to specify whether and to what extent supervisory authorities may impose administrative fines on public authorities and bodies (Article 83(7), GDPR), the Romanian law no. 190/2018 implementing GDPR (Romanian GDPR Law) includes specific provisions in this respect.
According to the Romanian GDPR Law (i.e. Articles 13 and 14), if a public authority or body violates the GDPR or the Romanian GDPR Law, ANSPDCP shall prepare a report on the findings, accompanied by a remediation plan. Within 10 days of the remediation deadline, ANSPDCP may resume investigation. If, following this second investigation, ANSPDCP founds that the investigated public authority has not fully implemented the measures set out in the remediation plan, the supervisory authority may, depending on the circumstances of each case, impose a fine, based on the criteria provided by Article 83(2) GDPR.
However, the level of penalties or sanctions that can be applied to Romanian public authorities/bodies is significantly lower than the ones a private entity would risk. Specifically, the fines that can be applied by ANSPDCP to a public authority/body for its GDPR breach or for failing to implement the measures included in the remediation plan range between RON 10,000 and RON 200,000. Also, according to the Romanian GDPR Law, some public entities benefit of extended remediation deadlines: public authorities/bodies, religious units and non-governmental organizations acting in public interest benefit of a remediation term of maximum 90 days.
Therefore, as concerns public authorities/bodies, ANSPDCP rather has preventive oriented responsibilities and not corrective ones.
In any case, while most of the GDPR sanctions imposed so far by the Romanian Data Protection Authority have targeted private sector entities, by publishing the above mentioned sanctions applied against two public authorities, the supervisory authority sends out a strong message to all entities processing personal data.
Last but not least, the matter of body-worn surveillance devices and the acquisition of sound and image during field activities of public authorities/bodies signal a step forward in the way the Romanian public authorities are approaching law enforcement and data gathering. The lawful use of such devices that by default process personal data should be, without doubt, a top priority for everybody.
Article provided by: Adelina Iftime Blagean and Nina Lazar. (Wolf Theiss, Romania)
Dr. Tobias Höllwarth (Managing Director INPLP)