On the 15th of July 2020, the National Supervisory Authority finalised an investigation at the controller Compania Națională Poșta Română and found that it infringed the provisions of Article 32 of the General Data Protection Regulation concerning the security of the processing.

The controller Compania Națională Poșta Română was sanctioned with a fine in the amount of 9,686.60 lei, the equivalent of 2.000 euros.

The breach of the security and confidentiality of personal data consisted in the fact that the controller did not implement adequate technical and organisational measures (e.g. pseudonymisation), both when establishing the means of processing and during the processing itself, so as to effectively implement the principles of data protection and to integrate the guarantees necessary for the processing, so that the requirements of the GDPR are fulfilled and the rights of data subjects are protected.

The controller Compania Națională Poșta Română was sanctioned because it did not take the appropriate technical and organisational measures to prevent the unauthorized access to personal data (e-mail addresses and telephone numbers) at https://awb.posta-romana.ro belonging to the Compania Națională Poșta Română, which led to the compromise of the confidentiality of the personal data of 81 data subjects.

The National Supervisory Authority carried out the investigation as a result of receiving from the controller a notification of a data security breach, pursuant to the provisions of Article 33 of the GDPR.

A.N.S.P.D.C.P