The National Surveillance Authority has completed an investigation into the Romanian Post operator and found that it violated the provisions of Article 32 of the General Data Protection Regulation on the security of the processing.
The operation of the national company of the Romanian Layers has been sanctioned with a penalty of 9,686.60 lei, i.e. 2,000 euros.
The breach of security and trust of personal data consists of the fact that the processor has not implemented the appropriate technical and organisational measures (e.g. pseudonymization), both in the definition of the means of processing and in the processing itself, so that the principles of data protection are effectively acted and integrate into them the necessary guarantees to the processing , so that the requirements of the GDPR are met and the rights of the interested parties are protected.
The operator Compania Națională Poșta Română has been sanctioned because it had not implemented the appropriate technical and organisational measures to prevent unauthorized access to the personal data (email addresses and telephone number) of the national roman pole company, which has led to the commitment of the confidentiality of the personal data of 81 subjects.
The national supervisory authority has investigated after receipt by the operator of a data security breach notice, in accordance with what is stated in Article 33 of the GDPR.