Changeflow GovPing Data Protection GDPR Sanction for Ordonul Asistenților Medicali...
Priority review Enforcement Amended Final

GDPR Sanction for Ordonul Asistenților Medicali Neamț

Favicon for www.dataprotection.ro Romania ANSPDCP Press
Filed December 29th, 2025
Detected March 13th, 2026
Email

Summary

The National Supervisory Authority for Personal Data Processing in Romania sanctioned Ordonul Asistenților Medicali Generaliști, Moașelor și Asistenților Medicali din România – Filiala Neamț for GDPR violations. The entity received a fine of 2,000 euros and two reprimands for issues related to video surveillance and data subject information.

View original document View source feed page

What changed

The National Supervisory Authority for Personal Data Processing (ANSPDCP) has issued a sanction against Ordonul Asistenților Medicali Generaliști, Moașelor și Asistenților Medicali din România – Filiala Neamț for multiple violations of the General Data Protection Regulation (GDPR). The violations include processing employee images via video surveillance without proper legal basis or prior consultation, failing to provide proof of less intrusive methods, inadequate security measures, and insufficient information to data subjects. The controller was fined 2,000 euros and received two reprimands.

Regulated entities, particularly employers utilizing video surveillance, must review their data processing activities for compliance with GDPR Articles 5, 6, 12, 13, and 32. This includes ensuring a legal basis for processing, conducting prior consultations where necessary, providing comprehensive information to data subjects, and implementing appropriate technical and organizational security measures. The ANSPDCP also ordered specific corrective actions, such as eliminating non-compliant video surveillance systems and ensuring future compliance with data protection principles. Failure to comply could result in further sanctions and corrective orders.

What to do next

  1. Review video surveillance policies and legal basis for processing employee data.
  2. Ensure all data processing activities comply with GDPR Articles 5, 6, 12, and 13.
  3. Implement and document appropriate technical and organizational security measures for personal data processing.

Penalties

Fine of 10,177 lei (2,000 euros) and two reprimands.

Source document (simplified)

29.12.2025

Sanction for infringing the GDPR

The National Supervisory Authority for Personal Data Processing completed, in November 2025, an investigation at the controller Ordinul Asistenților Medicali Generaliști, Moașelor și Asistenților Medicali din România – Filiala Neamț and found a violation of the provisions of Article 5 paragraph (1) letter a), Article 6, Article 32 paragraph (1), Article 12 and Article 13 of the General Data Protection Regulation (GDPR).

As such, the controller was sanctioned as follows:

  • fine in the amount of 10,177 lei, the equivalent of 2,000 euros for violating the provisions of Article 5 paragraph (1) letter a) and Article 6 of the GDPR;
  • reprimand for violating the provisions of Article 32 paragraph (1) of the GDPR;
  • reprimand for violating the provisions of Article 12 and Article 13 of the GDPR. The investigation was initiated following a complaint by the petitioner claiming that the controller had installed a video surveillance camera facing the office where he worked, as well as the fact that he had not been informed about the existence of the video surveillance system.

During the investigation, the National Supervisory Authority found that the controller had processed the image of its employees and students, through video surveillance cameras installed in the offices and in the classroom, without providing proof that it had carried out prior consultation with the employees/union before installing and putting into operation the video surveillance system at the workplace.

It was also found that the controller did not prove that other less intrusive forms and methods for achieving the purpose pursued by the employer had not previously proven their effectiveness and that the controller did not implement adequate technical and organizational measures to ensure the security and confidentiality of personal data processed through the video surveillance system.

Furthermore, during the investigation it was also found that the controller did not present evidence showing that it had fully informed the data subjects about the processing of data through the video surveillance system, which constitutes a violation of the provisions of Articles 12 and 13 of the GDPR.

At the same time, the controller was ordered to take the following corrective measures:

  • to eliminate the use of the video surveillance system installed in offices and in the classroom, for which there is no express legal basis for processing the personal data of its employees, in relation to Articles 5 and 6 of the GDPR;
  • to ensure the full information to data subjects, in relation to all activities involving the processing of personal data, by providing all the information provided for in Articles 13 and 14 of the GDPR, as appropriate, as well as in compliance with the conditions provided for in Article 12 of the GDPR;
  • to implement appropriate technical and organizational security measures for all processing of personal data, in particular for processing carried out through video surveillance cameras, in accordance with Articles 24, 29 and 32 of the GDPR;
  • to take the necessary measures so that, in the future, the compliance of processing operations with the provisions of the GDPR is ensured, namely that video cameras installed outside the building record images only from the perimeter belonging to the controller, and not from the public domain. We mention that the controller has paid the fine imposed.

Legal and Communication Department

A.N.S.P.D.C.P

Related changes

Favicon for www.gov.uk Export Licence Transmission Issue Resolved
Routine Mar 14, 2026 ECJU Notices to Exporters Trade & Export
Favicon for www.gov.uk Humanitarian Assistance Exception Notification for Petroleum Products
Priority review Mar 13, 2026 OFSI All Publications Trade & Export
Favicon for www.apra.gov.au APRA Releases Quarterly ADI Statistics for December 2025
Routine Mar 13, 2026 news-and-publications Government
Favicon for www.priv.gc.ca Privacy Commissioner concludes Loblaw loyalty program investigation
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Global Data Protection Authorities Statement on AI Imagery Privacy
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Privacy Commissioner Recommends Bill C-4 Amendments for Political Party Privacy
Priority review Mar 13, 2026 Canada OPC News & Actions Government

Source

Favicon for www.dataprotection.ro
Romania ANSPDCP Press dataprotection.ro/?page=Comunicate_de_presa&lang=en
Data Protection
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various
Filed
December 29th, 2025
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Employers Healthcare providers
Geographic scope
Romania

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Topics
GDPR Employment Law Video Surveillance

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Data Protection alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when Romania ANSPDCP Press publishes new changes.

Free. Unsubscribe anytime.