The Romanian DPA fines the Romanian Post acting as processor following a data breach notification


On 7 November 2022, the Romanian DPA announced it sanctioned the Romanian Post with a fine of EUR 2,000 for failing to implement appropriate technical and organizational measures to ensure the confidentiality and security of personal data processing operations, which led to the loss, unauthorized disclosure, or unauthorized access to certain personal data.

The investigation began after the controller notified the DPA of a data breach by the Romanian Post acting as a processor. Subsequently, the DPA concluded that the processor had lost some mailings containing decisions on pension rights, employment certificates, and death certificates, thus affecting 35 individuals (recipients of the respective mailings).

In addition to the fine, the Romanian DPA imposed a corrective measure ordering the Romanian Post to review and update the technical and organizational measures implemented following the assessment of the risk related to the rights and freedoms of individuals, including the working procedures relating to the security of personal data, to ensure (i) the protection of data processed both on workstations (PCs) and for the provision of postal services in physical format (receipt or delivery of mailings), (ii) the physical protection of the workspaces where mailings are processed, and (iii) measures on training the persons acting under the authority of the Romanian Post.

The press release is available here (only in Romanian).