protectia datelor

Data protection at european and national level

By Mugurel Olariu, RPD protectie date

The two bodies specialized in the field of personal data protection, at European level – EDPB and at national level – ANSPDCP, carried out in July a.c., current activities, among which we mention:
At European level, the EDPB held three remote meeting sessions on 7, 12 and 28 July, finalized with the following documents of interest:

✔ July 7, 2021:
■ Guide no. 2/2021 on virtual voice assistance (final form after public consultation)
■ Guide no. 7/2020 on the concept of operator and authorized person (final form after public consultation)
■ Guide on codes of conduct as a transfer tool, open for public consultation
The purpose of the Guide on codes of conduct as a transfer tool is to clarify the application of the provisions of art. 40 para. (3) corroborated with art. 46 para. (2) lit. e) of the General Regulation on Data Protection, including by presenting specific examples.

✔ July 12, 2021:
Mandatory Emergency Decision 01/2021 on the application under Article 66 (2) RGPD from the Hamburg Supervisory Authority (Germany) to order the adoption of the final measures regarding Facebook Ireland Limited

✔ July 28, 2021:
Decision 01/2021 regarding the dispute arising regarding the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland Limited according to art. 65 (1) (a) RGPD

The National Authority for the Supervision of Personal Data Processing, issued Decision no. 20 of June 24, 2021 on the approval of the Additional Requirements for the accreditation of certification bodies pursuant to art. 43 of Regulation (EU) 2016/679. It was published in the Official Gazette of Romania with number 689 of July 12, 2021, Part I and entered into force on the date of publication. By this decision are established, pursuant to art. 43 of Regulation (EU) 2016/679, the additional requirements for the accreditation of certification bodies.

Through the press release of July 30, 2021, the National Authority presents the fact that it has completed an investigation of a natural person and found the commission of two contraventions by violating the provisions of art. 5 para. (1) lit. a) and b) and par. (2), referred to in art. 6 para. (1), as well as the provisions of art. 14 para. (1) – (4) of the General Data Protection Regulation.

As such, the natural person, as an operator, was sanctioned for minor offenses:
✔ with a fine, in the amount of 492.75 lei (equivalent to 100 EURO) for violating art. 5 para. (1) lit. a) and b) and par. (2) of the RGPD and of art. 6 para. (1) of the GDPR;
✔ with a fine, in the amount of 492.75 lei (equivalent to 100 EURO) for violating art. 14 para. (1) – (4) of the GDPR.

Data protection at european and national level
data protection

The investigation was initiated following the receipt of several complaints. The operator was complained about the fact that, by distributing materials to households in the commune and by posting on his personal Facebook account, he revealed personal data, on the one hand, of an individual by broadcasting a photo of the flyer salary that belonged to her and, on the other hand, revealed personal data of the minor son of another person concerned, contained in a photograph of a file from the Register of children enrolled in the Kindergarten with Normal Program in that county.

lowing the investigation, the National Authority found that the operator did not provide evidence that he had legally processed the personal data contained in the pay slip of the data subject (name, surname, CNP, job, function, salary), thus violating the principles of personal data processing provided in art. 5 para. (1) lit. a) and b) and par. (2) of the GDPR and the provisions of art. 6 para. (1) of the GDPR.

At the same time, the operator did not present evidence showing that he provided information to the data subjects about the processing of personal data contained in the tab photographed in the Register of children enrolled in Kindergarten with Normal Program (name and surname of the minor son of the data subject), thus violating the provisions of art. 14 para. (1) – (4) of the GDPR.