The Data Protection Authority in its decision No.39/2021 imposed a fine of €8,000 on a Municipal Enterprise as a data controller for violation of the principle of proportionality (minimization) of data (Art.5 par. 1(c) of the General Data Protection Regulation – GDPR), as well as for failure to satisfy the right of access to the data subject’s data (Articles 12(3) and 15 GDPR).
The fine was imposed following the issuance of an employment certificate issued by the Company at the request of the subject, which, in addition to the duration and type of work, included details of the reasons for the dismissal of the employee, which was deemed disproportionate, while refusing to respond to a request for the provision of video footage needed to produce in a criminal trial.
The Authority, noting the seriousness of the breach and the harm it caused to the complainant, stresses the importance of data minimization in data processing as a fundamental principle of the GDPR, but also the need for data controllers to respond to requests from data subjects regarding their data. With a view to improving their reflexes to recognise compliance obligations and avoid even higher fines, businesses are encouraged to adopt internal compliance mechanisms to support subjects.
For the full text of the decision click here.
