A new fine based on the GDPR
On the 28th of October 2019, the National Supervisory Authority has finalized an investigation with the controller FAN COURIER EXPRESS SRL and found that it infringed the provisions of Article 32 paragraphs (1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
The controller FAN COURIER EXPRESS SRL was sanctioned with a fine in the amount of 52,325.9 lei, the equivalent of 11000 Euros.
The sanction was applied to the controller because it did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of processing generated accidentally or illegally, in particular, by the destruction, loss, modification, unauthorized disclosure or unauthorized access to the personal data transmitted, stored or otherwise processed, which led to the loss of personal data (name, surname, card number, card security code (cvc), card holder address, personal identification number, serial number and identity card number , IBAN account number, approved credit limit, correspondence address) and by the unauthorized disclosure/access of the personal data, being affected by the security incidents a number of about 1100 data subjects, although the controller had the obligation to take the adequate security measures of personal data according to the provisions of Article 5 paragraph (1) letter f) of the GDPR.
Legal and Communication Department