Sanction for the infringement of the GDPR
The National Supervisory Authority finalized in June an investigation at Delivery Solutions S.A. (Sameday) and found the breach of the provisions of Article 29, Article 32 paragraph (1) letter b) and paragraph (2) of the General Data Protection Regulation.
Delivery Solutions S.A. (Sameday) was sanctioned with fine in amount of Lei 14,825.70 (the equivalent of EUR 3,000).
The investigation was started following some intimations submitted by a natural person that reported the fact that the database of Delivery Solutions S.A. (Sameday) is for sale on the website https://raidforums.com/Thread-SELLING-=ae-SAMEDAY-RO-Romanian-Postal-Service.
Within the investigation, it was found that Delivery Solutions SA (Sameday) is processor for two companies for the processing of personal data, being obliged to take all the necessary measures to systematically protect the processing of personal data of natural persons, as provided under Article 28 paragraph (3) letter c) of the GDPR, including against the unauthorized disclosure and/or access to data.
Also, it was found that the personal data belonging to a number of 26566 natural data subjects (AWB number and date – the transport documents that is mandatory for the shipping of any package, couriers indicatives, name of the sender, first name and last name of the recipient, telephone number, address, delivery status, type of the service, weight of the package, the amount to be cashed in, delivery interval) were available for sale on the forum RaidForums and could be accessed by using the link https ://raidforums.com/Thread-SELLING-=æ-SAMEDAY-RO-Romanian-Postal-Service.
Therefore, Delivery Solutions SA was sanctioned with fine given that it did not implement the adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of the processing for the rights and freedoms of the natural persons, which led to the unauthorized disclosure and/or access to the personal data for 26566 natural data subjects.
Legal and Communication Department