ANSPDCP (Romania) - Fine against S.C. Delivery Solutions S.A. (Sameday)

From GDPRhub
ANSPDCP - Fine against S.C. Delivery Solutions S.A. (Sameday)
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 29 GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 11.07.2022
Fine: 3000 EUR
Parties: S.C. Delivery Solutions S.A.
National Case Number/Name: Fine against S.C. Delivery Solutions S.A. (Sameday)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined the processor S.C. Delivery Solutions S.A. (Sameday) €3,000 for not implementing necessary technical and organisational measures, which led to the disclosure and/or unauthorised access to personal data of 26,566 natural persons after its database was posted on the website 'Raidforums.'

English Summary[edit | edit source]

Facts[edit | edit source]

S.C. Delivery Solutions S.A. (processor), commonly known as "Sameday", is a courier company. Sameday is authorized by two companies (controllers) for the processing of personal data.

The DPA received complaints about the processor's database, as it was found for sale on a website (RaidForums). Following the complaint, the DPA started an investigation.

The database contained the personal data of 26,566 customers (name of the recipient, contact details, address of the recipient, parcel details, delivery status etc.). The website was later seized by FBI, Europol and other European national police agencies.

Holding[edit | edit source]

The DPA noted that a processor is obliged to take all necessary measures to protect systematically the processing of personal data of natural persons, as required by Article 28(3)(c) GDPR, including against disclosure and/or unauthorised access to data.

During its investigation, the DPA found that the database for sale on website contained data relating to 26.566 individuals. The data included: AWB number and date (the transport document which must accompany the dispatch of any parcel), courier details, sender's name, consignee's name and surname, telephone number, address, delivery status, type of service, parcel weight, amount to be collected and delivery interval.

The DPA held that the processor did not implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of the processing for the rights and freedoms of natural persons, which led to the disclosure and/or unauthorised access to personal data of 26,566 natural persons. As result, the DPA held that the controller violated Article 29, Article 32(1)(b), and Article 32(2) GDPR.

The DPA fined the processor €3,000 (RON 14,825.70).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

11.07.2022

Sanction for violating the RGPD



In June, the National Supervisory Authority completed an investigation at S.C. Delivery Solutions S.A. (Sameday) and found a violation of the provisions of art. 29, art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation.

SC Delivery Solutions S.A. (Sameday) was sanctioned with a fine of 14,825.70 lei (equivalent to 3,000 EURO).

The investigation was initiated as a result of complaints filed by a natural person who reported that the database of S.C. Delivery Solutions S.A. (Sameday) is for sale on the website https://raidforums.com/Thread-SELLING-=ae-SAMEDAY-RO-Romanian-Postal-Service.

In the investigation, it was noted that S.C. Delivery Solutions S.A. (Sameday) is the person authorized by two companies for the processing of personal data, being obliged to take all necessary measures to systematically protect the processing of personal data of individuals, as provided in art. 28 para. (3) lit. c) of the RGPD, including against disclosure and / or unauthorized access to data.

It was also found that personal data belonging to a number of 26566 individuals concerned (number and date AWB - transport document that accompanies the shipment of any package, courier codes, sender name, name and surname of the recipient, telephone number, address , delivery status, type of service, package weight, amount receivable, delivery range) were available for sale on the RaidForums forum and could be accessed using the link https://raidforums.com/Thread-SELLING-=æ-SAMEDAY- RO-Romanian-Postal-Service.

As such, it was S.C. Delivery Solutions S.A. was fined for failing to implement adequate technical and organizational measures to ensure a level of security appropriate to the processing risk for the rights and freedoms of individuals, which led to the disclosure and / or unauthorized access to personal data for 26,566 persons targeted physical.



Legal and Communication Department

A.N.S.P.D.C.P.