Compania de Transport Public Cluj-Napoca S.A. – €3,980 Fine (Romania, 2024)

The Romanian DPA started an investigation, after a tip concerning the presence of audio surveillance cameras directed to the driver are present in the driver booth of buses operated by the Cluj-Napoca S.A. Public Transport Company, the controller. These cameras system allowed for remote online monitoring. During the several years during which the cameras were in place, the image and voice of employees of the controller were processed and, sometimes, resulted in the imposing of disciplinary procedures, at the expenses of employees. The DPA considered that the prolonged and extensive data processing conducted by the controller with regards to the data subject´s data, violated the principles of legality, legitimacy as well as purpose limitation. Thus, the DPA found a violation of Article 5(1)(a)(b)(c) and (2) and Article 6 GDPR in conjunction with [https://www.dataprotection.ro/servlet/ViewDocument?id=1685 Article 5(a) to (d) Law no. 190/2018], a national provision concerning data processing in the context of employment relations, and consequently imposed a fine of RON 19,902 (€4,006) on the controller. The DPA further reiterated that processing personal data through camera surveillance can illegally and excessively affect other data subjects, in this case for instance passengers, which can prove problematic. It also provided for corrective measures to ensure compliance with the GDPR, such as “re-assessing the purposes” of processing through surveillance cameras, as well as “reconsidering the use of the audio option” in the cameras.