(022) 820 801 centru@datepersonale.md
DP header logo
img mobile menu img close mobile menu
ROENРу
ico search toggle
datepersonale.md
/
Comunicate
/
Administrative fine imposed by the Hellenic Data Protection Authority on HELLENIC POST SERVICES SA for failure to implement technical and organizational measures resulting in unauthorized access to personal data

Administrative fine imposed by the Hellenic Data Protection Authority on HELLENIC POST SERVICES SA for failure to implement technical and organizational measures resulting in unauthorized access to personal data

img 321 Views

The National Center for Personal Data Protection (NCPDP), for information and enforcement purposes, communicates about the administrative fine imposed by the Hellenic Data Protection Authority (DPA) on HELLENIC POST SERVICES SA for violation of Article 5 Principles related to the processing of personal data and Article 32 Security of processing of GDPR.

“HELLENIC POST SERVICES S.A.” (ELTA S.A.) has reported two personal data breach incidents to the Hellenic SA in compliance with the GDPR. The first incident involved a data encryption breach for the purpose of a ransom request in the company’s system as a result of a malware attack from third parties, while the second incident involved the leak of personal data, which was subsequently published on the Dark Web.

Following investigations, the Hellenic SA found that the controller did not comply with the necessary technical and organizational measures and did not ensure the implementation of the security policy for the processing of personal data. This failure resulted in breaches in the controller’s system, including vulnerability scanning, unauthorized access to system resources, execution of malicious processes, disabling security software and file encryption.

In this context, the Hellenic SA imposed on ELTA S.A. an administrative fine amounting to 1% of the last available annual turnover based on assessment criteria in accordance with EDPB Guidelines 4/2022 on the calculation of administrative fines, namely: the large number of persons affected, the amount of damage, the nature of the breach, the non-compliance with the security policy and the categories of data affected. Mitigating factors were also taken into account, such as: the reinforcement of system security measures after the incident, the fact that the investigation of the incident was entrusted to a specialized company and ELTA S.A. followed its instructions, the data recovery and the unfavorable financial situation of the company.

The NCPDP, as the national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of the legal framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

img
Reprezentanții Centrului Național pentru Energie Durabilă instruiți în domeniul protecției datelor cu caracter personal

       La data de 17 octombrie 2025, Centrul Național pentru Protecția Datelor cu Caracter Personal (CNPDCP) a organizat un curs de instruire în domeniul protecției datelor cu caracter personal pentru reprezentanții Centrului Național pentru Energie Durabilă (CNED), la solicitarea acestora.        Cursul de instruire a avut drept scop familiarizarea funcționarilor din […]

img 32 Views
img
Representatives of the Border Police Sector “Chisinau International Airport” of the Border Control General Directorate trained in the field of personal data protection

       On October 15, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for representatives of the Border Police sector “Chisinau International Airport” of the General Inspectorate of Border Police (GIBP), according to the training plan within the GIBP subdivisions for 2025, […]

img 24 Views
img Video gallery
img Information