What Happened
Romania's National Supervisory Authority for Personal Data Processing (ANSPDCP) concluded in April 2025 an investigation into operator ROUMASPORT SRL, sanctioning the company with a fine of 24,887 RON — equivalent to €5,000.
The investigation was triggered by complaints signaling possible violations of personal data processing legislation at one of the operator's work locations.
What GDPR Violations Were Found
ANSPDCP established that ROUMASPORT SRL violated:
Art. 5(1)(a) and (b) of Regulation (EU) 2016/679 — the principles of lawfulness, fairness and transparency, and purpose limitation. Data collected through the video surveillance system was not processed for determined, explicit and legitimate purposes.
Art. 6(1) of GDPR — the lawfulness conditions for processing. The operator could not demonstrate the existence of a valid legal basis for using employees' images for disciplinary investigation purposes.
Art. 5 of Law No. 190/2018 — the national GDPR implementation legislation, which establishes specific conditions for video monitoring in the workplace.
In concrete terms, the operator accessed the existing video surveillance system and used employees' images including for disciplinary investigation purposes, without a corresponding legal basis for this extended use of the collected data.
The Corrective Measure Imposed
In addition to the fine, ANSPDCP imposed a mandatory corrective measure: the operator must ensure that all personal data processing operations through video monitoring comply with GDPR principles — particularly in cases where recordings are used in disciplinary proceedings.
What Obligations Employers Have Regarding Video Surveillance
This case illustrates a common mistake among employers: installing a video surveillance system for a declared purpose — such as premises security — and subsequently using the recordings for other purposes, such as employee disciplinary investigations.
GDPR explicitly prohibits this practice through the purpose limitation principle: data collected for one purpose cannot be reused for other incompatible purposes.
To be compliant, a company that wishes to use video surveillance also in disciplinary proceedings must simultaneously meet several conditions. First, employees must be transparently informed about the existence of the system, the purposes of monitoring, and the situations in which recordings may be used — including in disciplinary investigations. Second, a valid and documented legal basis must be identified, most commonly the operator's legitimate interest, mandatorily accompanied by an impact assessment on employees' rights. Third, internal video monitoring policies must explicitly specify all purposes for which recordings may be used, and access to them must be restricted and documented.
Why This Case Matters for Your Organization
The ROUMASPORT case is not isolated. ANSPDCP has intensified investigations into workplace video monitoring in recent years, and fines can reach up to €20 million or 4% of global annual turnover for serious violations.
If your organization uses video surveillance systems, urgently verify whether employee notification is complete and up to date, whether a documented legal basis exists for each processing purpose, whether recordings are accessed only by authorized personnel, and whether the retention period for recordings is limited and justified.
Conclusion
Video surveillance in the workplace is a high-risk area for GDPR non-compliance. Using recordings for purposes other than those originally declared — even in the context of legitimate disciplinary procedures — can attract significant sanctions.
Compliance does not simply mean installing a legal video system. It means documenting, limiting and controlling every use of the collected data.
Does your organization use workplace video surveillance and you're unsure whether it's GDPR compliant? Contact us for a compliance audit.