Home » Comunicat_Presa_17_01_2025
 Română | English | Francais

17.01.2025

Sanction for GDPR violation

 

The National Supervisory Authority for Personal Data Processing finalised, in December 2024, an investigation at controller DELIVERY SOLUTIONS S.A. and found the breach of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 9.954 lei (the equivalent of 2,000 euros).

The investigation was started as a result of the transmission, by the controller DELIVERY SOLTIONS S.A., of a notification of a personal data breach, according to the provisions of Article 33 of Regulation (EU) 2016/679.

Thus, the controller reported a security incident with the exposure of personal data in the online environment.

Also, in the same notified incident, it was reported that the web interface of an internal application of the controller was accessed by fraudulently obtaining valid credentials (username and passwords) which allowed for the data to be visualised.

During the investigation, it was found that the controller did not take sufficient security measures, which allowed for the personal data to be accessed and visualized illegally by unauthorised persons, by accessing the web interface of the internal application used by the controller.

In this context, a number of data categories were illegally accessed and affected, such as: name and surname, postal address, telephone number and e-mail address.

Thus, since sufficient appropriate technical and organisations measures were not taken in order to ensure a level of security corresponding to the risk of the processing, including the availability to ensure data confidentiality, it was found that the provisions of Article 24, Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (UE) 2016/679 was violated, thus the controller being fined.

At the same time, the following corrective measures were ordered against the controller in order to avoid similar security incidents:

  • adopting an updated password policy;
  • implementing an access register so that the unwanted access to be recorded;
  • performing regular security audits in order to identify and fix the vulnerabilities.

Legal and Communication Department

A.N.S.P.D.C.P