The National Supervisory Authority finalized in April 2023 an investigation at the controller Compania Nationala Posta Romana SA and found the breach of the provisions of Article 5 paragraph (1) letter a) and of paragraph (2), by reference to Article 6 paragraph (1) from Regulation (EU) 2016/679.

The controller was sanctioned with fine in amount of Lei 24,719.50, the equivalent of EUR 5,000.

The sanction was applied following some intimations regarding the filling of the Form 230 by the controller Compania Nationala Posta Romana SA with personal data f its own employees, in order to redirect the percentage of 3,5% from their annual income tax to a foundation pertaining to the same controller.

Within the investigation performed, it was found that during January 2023, the controller filled in partially the 230 Form with data of the employees, respectively first name, last name and personal identification number, without the existence of a legal obligation of the latter in this respect and without proving the fulfilment of another condition from those provided under Article 6 paragraph (1) from Regulation (EU) 2016/679 (such as the consent of the employees). We underline that the controller had the obligation to process the personal data lawfully, fairly and in a transparent manner in relation to the data subject, according to the provisions of Article 5 paragraph (1) letter a) from Regulation (EU) 2016/679.

In addition to the fine sanction, it was recommended to the controller to take all necessary measures for the personal data to be, in all situations, processed in accordance with the processing principles provided under Article 5 from Regulation (EU) 2016/679 and based on a legal basis established according to Article 6 from Regulation (EU) 2016/679.

The controller Compania Nationala Posta Romana S.A. paid the full fine applied, respectively the equivalent of the amount of EUR 5,000.

Legal and Communication Department

A.N.S.P.D.C.P