Home » Comunicat_Presa_07_11_2022
 Română | English | Francais


Sanction for the GDPR infringement


The National Supervisory Authority finalized in October 2022 an investigation at Compania Națională Poșta Română SA and found the breach of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) from the General Data Protection Regulation.

Therefore, Compania Națională Poșta Română SA was sanctioned with fine in amount of Lei 9,883.8 (the equivalent of EUR 2,000).

The investigation was started following the fact that a data controller notified to the National Supervisory Authority the breach of the data security by Compania Națională Poșta Română SA, as processor.

Within the investigation performed, it resulted that the processor Compania Națională Poșta Română SA lost some postal items that contained decisions regarding the pension rights, employment records and death certificates, a number of 35 natural persons (recipients) being affected.

Also, it was found that this company did not implement appropriate technical and organizational measures to ensure a level of confidentiality and security of the data subjects’ personal data, that led to the loss, unauthorized disclosure or unauthorized access to certain personal data.

At the same time, based on Article 58 paragraph (2) letter d) from the General Data Protection Regulation, also the corrective measure to review and update the technical and organizational measures implemented following the evaluation of the risk for the human rights and freedoms, inclusively of the working procedures regarding the personal data protection, in order to ensure the protection of the data processed both on the working stations (PC) and for the performance of the physical post services (the receipt of delivery of postal items) in physical form, as well as to ensure a physical protection of the working spaces where the postal items are processed and of the measures regarding the training of the persons acting under the authority of the company was taken against Compania Națională Poșta Română SA.

In the context, we mention that according to the provisions of Article 4 point 8 from the General Data Protection Regulation ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Also, we mention that Article 32 paragraph (1) and (2) from the General Data Protection Regulation mentions:

“1.   Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2.   In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

In this context, we underline that the obligations to ensure the data security and confidentiality measures lays both on the controller and on the processor.


Legal and Communication Department