ANSPDCP - Compania Națională Poșta Română
|ANSPDCP - Compania Națională Poșta Română|
|Relevant Law:||Article 32 GDPR|
|Parties:||Compania Națională Poșta Română|
Compania Națională Poșta Română
|National Case Number/Name:||Compania Națională Poșta Română|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
|Initial Contributor:||Isabel Hahn|
The Romanian National Post Company was fined 9,686.60 lei (2,000 euros) for failing to implement adequate technical and organizational security measures, which led to the unauthorized access of personal data belonging to 81 data subjects.
English Summary[edit | edit source]
Facts[edit | edit source]
The National Supervisory Authority conducted an investigation into the Romanian National Post Company, and found that it did not implement adequate technical and organizational measures (such as pseudonymization) when processing personal data. This resulted in the unauthorized access of personal data like email addresses and telephone numbers of 81 different data subjects.
Dispute[edit | edit source]
Whether there was a breach of GDPR Art.32.
Holding[edit | edit source]
The National Supervisory Authority held that there was a breach of Art.32 and imposed a fine of 9,686.60 lei, the equivalent of 2,000 euros.
Comment[edit | edit source]
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
On 15.07.2020, the National Supervisory Authority completed an investigation at the operator of the Romanian National Post Company and found that it violated the provisions of art. 32 of the General Regulation on Data Protection, regarding the security of processing. The operator of the Romanian Post National Company was sanctioned with a fine of 9,686.60 lei, the equivalent of 2,000 euros. The breach of the security and confidentiality of personal data consisted in the fact that the controller did not implement adequate technical and organizational measures (eg pseudonymization), both when establishing the means of processing and in the processing itself, so as to effectively implement the principles of data protection and integrate in them the guarantees necessary for the processing, so that the requirements of the RGPD are fulfilled and the rights of data subjects are protected. The operator of Compania Națională Poșta Română was sanctioned because it did not take the appropriate technical and organizational measures to prevent unauthorized access to personal data (e-mail addresses and telephone numbers) at https: //awb.posta-romana. ro belonging to the Romanian National Post Company, which led to the compromise of the confidentiality of the personal data of 81 data subjects. The National Supervisory Authority carried out the investigation as a result of receiving from the operator a notification of data security breach, according to the provisions of art. 33 of the RGPD.