ANSPDCP (Romania) - Compania Națională Poșta Română

From GDPRhub
ANSPDCP - Compania Națională Poșta Română
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 15.07.2020
Published:
Fine: 9,686.60 RON
Parties: Compania Națională Poșta Română
Compania Națională Poșta Română
National Case Number/Name: Compania Națională Poșta Română
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Isabel Hahn

The Romanian National Post Company was fined 9,686.60 lei (2,000 euros) for failing to implement adequate technical and organizational security measures, which led to the unauthorized access of personal data belonging to 81 data subjects.

English Summary

Facts

The National Supervisory Authority conducted an investigation into the Romanian National Post Company, and found that it did not implement adequate technical and organizational measures (such as pseudonymization) when processing personal data. This resulted in the unauthorized access of personal data like email addresses and telephone numbers of 81 different data subjects.

Dispute

Whether there was a breach of GDPR Art.32.

Holding

The National Supervisory Authority held that there was a breach of Art.32 and imposed a fine of 9,686.60 lei, the equivalent of 2,000 euros.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

On 15.07.2020, the National Supervisory Authority completed an investigation at the operator of the Romanian National Post Company and found that it violated the provisions of art. 32 of the General Regulation on Data Protection, regarding the security of processing.

The operator of the Romanian Post National Company was sanctioned with a fine of 9,686.60 lei, the equivalent of 2,000 euros.

The breach of the security and confidentiality of personal data consisted in the fact that the controller did not implement adequate technical and organizational measures (eg pseudonymization), both when establishing the means of processing and in the processing itself, so as to effectively implement the principles of data protection and integrate in them the guarantees necessary for the processing, so that the requirements of the RGPD are fulfilled and the rights of data subjects are protected.

The operator of Compania Națională Poșta Română was sanctioned because it did not take the appropriate technical and organizational measures to prevent unauthorized access to personal data (e-mail addresses and telephone numbers) at https: //awb.posta-romana. ro belonging to the Romanian National Post Company, which led to the compromise of the confidentiality of the personal data of 81 data subjects.

The National Supervisory Authority carried out the investigation as a result of receiving from the operator a notification of data security breach, according to the provisions of art. 33 of the RGPD.