Establishment of the non-compliant processing of personal data by the mayor of a locality

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the issuance of a decision regarding the establishment of the non-compliant processing of personal data by the mayor of a locality.

The non-compliant processing of personal data of the data subject who notified the National Authority for personal data protection, was materialized by multiple accesses by the mayor of the locality, the data contained in the Real Estate Register, without having a purpose and legal basis, as well as in the absence of the data subject’s consent.

At the same time, during the examination of the audit of personal data accesses by the mayor, NCPDP found that the mayor made 134 personal data accesses, from 10 different IP addresses, of which multiple accesses were made outside the work schedule and on weekends.

Thus, following the control of those notified, was found the violation of art. 4, art. 5 and art. 29 of the Law 133/2011 on personal data protection.

Therefore, from the content of the related circumstances, it results the fact of the existence in the actions / inactions of the mayor of the contravention provided by art. 741 para. (2) Contravention Code.

In the light of the above, the NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

At the same time, the NCPDP established prescriptions for the mayor concerned, to remove the non-conformities found in the decision, and to inform the NCPDP about the actions performed, within the established terms.