ANSPDCP (Romania) - Fine against S.C. Delivery Solutions S.A. (Sameday)

From GDPRhub
Revision as of 17:09, 17 July 2022 by DianaR (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against S.C. Delivery Solutions S.A. (Sameday)
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 29 GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 11.07.2022
Fine: 3000 EUR
Parties: S.C. Delivery Solutions S.A.
National Case Number/Name: Fine against S.C. Delivery Solutions S.A. (Sameday)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a processor approximately €3.000 after it did not implement necessary technical and organisational measures which led to a database containing the personal data of 26.566 individuals being made available online for sale.

English Summary

Facts

S.C. Delivery Solutions S.A., or Sameday - as it is commonly known in Romania, is a courier company and the data processor for two controllers. As a processor, Sameday is required to implement the necessary technical and organisational measures to ensure the security of the personal data processed on behalf of the controllers. However, the database used by Sameday and containing the personal data of 26.566 customers (name of the recipient, contact details, address of the recipient, parcel details, delivery status etc.) was found for sale online on a website which is later seized by FBI, Europol and other European national police agencies (link https://raidforums.com/Thread-SELLING-=æ-SAMEDAY-RO-Romanian-Postal-Service).

Holding

After a data subject found the database available for sale online, it reported it to the Romanian DPA, which started an investigation against the processor. During the investigation, the DPA discovered that the processor did not adopt the necessary technical and organisational measures to ensure the security of the personal data, and therefore, the data concerning 26.566 individuals was available online for sale. As result, the controller was found in breach of GDPR Article 29, 32(1)b, and 32(2) and fined approximately €3.000 (RON 14.825,70).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

11.07.2022

Sanction for violating the RGPD



In June, the National Supervisory Authority completed an investigation at S.C. Delivery Solutions S.A. (Sameday) and found a violation of the provisions of art. 29, art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation.

SC Delivery Solutions S.A. (Sameday) was sanctioned with a fine of 14,825.70 lei (equivalent to 3,000 EURO).

The investigation was initiated as a result of complaints filed by a natural person who reported that the database of S.C. Delivery Solutions S.A. (Sameday) is for sale on the website https://raidforums.com/Thread-SELLING-=ae-SAMEDAY-RO-Romanian-Postal-Service.

In the investigation, it was noted that S.C. Delivery Solutions S.A. (Sameday) is the person authorized by two companies for the processing of personal data, being obliged to take all necessary measures to systematically protect the processing of personal data of individuals, as provided in art. 28 para. (3) lit. c) of the RGPD, including against disclosure and / or unauthorized access to data.

It was also found that personal data belonging to a number of 26566 individuals concerned (number and date AWB - transport document that accompanies the shipment of any package, courier codes, sender name, name and surname of the recipient, telephone number, address , delivery status, type of service, package weight, amount receivable, delivery range) were available for sale on the RaidForums forum and could be accessed using the link https://raidforums.com/Thread-SELLING-=æ-SAMEDAY- RO-Romanian-Postal-Service.

As such, it was S.C. Delivery Solutions S.A. was fined for failing to implement adequate technical and organizational measures to ensure a level of security appropriate to the processing risk for the rights and freedoms of individuals, which led to the disclosure and / or unauthorized access to personal data for 26,566 persons targeted physical.



Legal and Communication Department

A.N.S.P.D.C.P.