1. Enforcement activity of the Romanian DPA
According to the 2016 activity report (the “Activity Report”) published by the Romanian Data Protection Authority (the “Romanian DPA”), during the year there was an increase in both the number of investigations performed by the Romanian DPA and complaints received. In 2016, the Romanian DPA performed a total of 632 investigations, which represents an increase of 57% from the previous year. Further, the number of complaints received by the Romanian DPA nearly doubled compared to 2015, to 2,202 complaints.
In addition, the number of fines applied by the Romanian DPA increased by 48% compared to the previous year, reaching 193 fines, with an aggregate amount of approx. EUR 250,000/USD 275,000.
2. Main areas of interest for investigations
Ex-officio investigations focused mainly on compliance with data protection in the banking sector, in relation to biometric data processing and data processing by public authorities. Furthermore, we have noticed an emphasis on investigations concerning the processing of employee data by their employers.
As for complaints received by the Romanian DPA, these relate mainly to banking and telecommunication companies and also to video surveillance.
We have prepared a short overview of a few interesting cases detailed in the Activity Report.
2.1 Processing biometric data of employees
Investigations performed by the Romanian DPA uncovered that certain companies implemented biometric authentication systems for employees (especially for physical access within the premises of the company and for registration of time spent by an employee on the premises) based, in particular, on fingerprints or facial recognition.
In most cases, the Romanian DPA considered that these measures taken by employers were excessive given the processing purpose. After applying sanctions to these companies, the Romanian DPA recommended finding less intrusive measures for fulfilling the envisaged purposes.
2.2 Monitoring access of employees on premises of the employer
The Romanian DPA performed several investigations relating to data processing through video surveillance systems installed at the companies’ headquarters and aimed at monitoring the work of their employees.
The Romanian DPA considers that CCTV systems at the workplace cannot be accepted in situations where there are less intrusive means to achieve the same purpose. Thus, before installing CCTV, the employer should assess the need for such measures.
Further, aside from the information on data processing provided to employees, the employer should complete the consultation process with the trade union, if applicable.
2.3 “The right to be forgotten” on the Internet
The Romanian DPA stated that many requests were received from individuals in relation to the right to be forgotten, especially concerning search engines.
For example, an individual filed a claim stating that he had made a request to Google for his personal data associated with a series of false and defamatory information indexed by search engines to be deleted. Although the Romanian DPA expressly requested to the data controller for this data to be deleted, Google challenged the request of the Romanian DPA and proceeded to delete the data only upon receipt of a court order in this respect.
2.4 Rights of individuals
The Activity Report contains a series of examples of situations in which companies acting as data controllers refused the requests of individuals to exercise their data protection rights.
For example, an individual reported that he had asked a telecommunication company to delete his data several times, given that the contract between them had ceased and he owed no outstanding amounts to the telecommunication company.
Following an investigation by the Romanian DPA, the telecommunication company was sanctioned because it did not comply with the request of the individual to delete the processed personal data.
2.5 Preventing data breaches
The Romanian DPA has begun to focus more on verifying implementation of appropriate security measures when processing personal data. The Activity Report gives an example in this respect: an individual reported that he had entered into a contract with a telecommunications company and, subsequently, the telecommunication company created an online account on its website at the request of his spouse, without his consent or knowledge.
Thus, it seems that this online account was created in such a manner that the spouse of this individual had access to information on the telephone conversations of the individual.
The Romanian DPA sanctioned the telecommunication company because, among others, it did not take adequate technical or organisational measures to ensure (i) the security of the processed personal data and (ii) a level of security proportionate to the existing risk, namely to ensure that the personal data of contract holders can be accessed only by the authorised person (and not by third parties such as relatives).
3. Perspective for 2017 onwards
The Romanian DPA has continued the same trend of enforcement in 2017 alongside its preparations for entering into force of the EU General Data Protection Regulation (GDPR), e.g., legislative proposals for specific provisions of Romanian law and conferences and meetings with companies to discuss steps to be taken under the GDPR.