(IN-21-6-2)

Date of Decision: 30 December 2022

This inquiry was commenced in respect of a personal data breach that A&G Couriers Limited T/A Fastway Couriers, Ireland (Fastway) notified to the DPC on 4 March 2021. Fastway is a company, which provides courier services, such as delivery of parcels, letters, packages, and documents, as well as parcel tracking and tracing options. The personal data breach concerned the unauthorised access to personal data held by Fastway, while it was engaging with its service provider in order to undertake a modification to Fastway ICT systems to facilitate declarations of duty and VAT.

• The decision found that Fastway infringed Article 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure an appropriate security level in relation to its processing of personal data for the provision of delivery services and stored in its internal report system at the time of the personal data breach.

Corrective Powers Exercised

• The decision issued Fastway with a reprimand in respect of the infringement.
• The decision imposed an administrative fine on Fastway in the amount of €15,000 in respect of the infringement.

You can download the full decision at this link: A&G Couriers Limited T/A Fastway Couriers (Ireland) - December 2022 (PDF, 2.5 MB).