Last year ended with a series of fines imposed by the President of the Personal Data Protection Office. They show the importance of taking take care of data security—and how costly it can be if you don’t.
Million-zloty fine for not responding quickly to an incident
Poland’s data protection authority, the President of the Personal Data Protection Office (PUODO), found that ID Finance Poland sp. z o.o. in liquidation (owner of the MoneyMan.pl loan portal) did not ensure the security of processed personal data, resulting in unauthorised access by third parties. In a decision, PUODO ascertained a number of violations of data protection provisions (Art. 5(1)(f), 25(1), 32(1)(b), 32(1)(d) and Art. 32(2) of the EU’s General Data Protection Regulation (2016/679)) and imposed a fine of over PLN 1 million on the company.
During a server reboot by a processing entity used by the company, the security settings were reset. As a result, the processed personal data became publicly available, which was reported to the company by an independent consultant specialising in cybersecurity. In the opinion of PUODO, the company failed to react appropriately to the signal of security gaps. The data controller focused on investigating the messenger’s intentions, rather than quickly investigating the incident to determine whether a data breach had actually occurred. As a result, personal data located on the server were downloaded and deleted by an unknown third party, which demanded payment from the company in exchange for their return.
Following these events, a data breach occurred involving over 140,000 of the company’s customers, including their name, education level, email address, employment data, email address of the person to whom the customer wished to recommend a loan, earnings data, marital status, telephone number, personal identity number (PESEL), nationality, tax number (NIP), website password, place of birth, mailing address, registered address, workplace telephone number, and bank account number. The company reported the breach to the supervisory authority and data subjects as required by data protection law.
The full text of the decision of 17 December 2020 (DKN.5130.1354.2020) is available on the authority’s website.
PLN 2 million fine for failure to regularly test systems
Two weeks earlier, PUODO found that phone company Virgin Mobile Polska sp. z o.o. had failed to implement adequate technical and organisational measures ensuring a level of security appropriate to the risk of data processing by means of IT systems used for recording personal data of prepaid service subscribers, leading to an unauthorised person gaining access to data. The authority discerned a number of violations of data protection provisions (Art. 5(1)(f), 5(2), 25(1), 32(1)(b) and (d), and 32(2) GDPR) and imposed a fine of almost PLN 2 million on the company.
In the opinion of PUODO, the company failed to carry out regular tests, measurements and assessments of the effectiveness of technical and organisational measures aimed at ensuring the security of processed personal data. In this area, actions were undertaken only on the occasion of suspicions of a vulnerability or in connection with organisational changes.
Thus, PUODO shared the view expressed by the Province Administrative Court in Warsaw in its judgment of 3 September 2020 (case no. II SA/Wa 2559/19), according to which the GDPR introduced an approach in which risk management is the cornerstone of personal data protection activities and is an ongoing process. Entities processing personal data must not only ensure compliance with the guidelines of the GDPR through one-off implementation of organisational and technical security measures, but also ensure continuity in monitoring the level of threats and ensuring accountability in terms of the level and adequacy of the security measures they introduce.
Against this background, there was a data protection breach concerning almost 115,000 of the company’s customers, including name, PESEL number, ID number, telephone number, and NIP number. The company reported the breach to the supervisory authority and data subjects as required by data protection law.
The full text of the decision of 3 December 2020 (DKN.5112.1.2020) is available on the authority’s website.
Fine for failure to report a data breach
The Medical University of Silesia in Katowice did not report a data protection breach to PUODO or data subjects, contrary to GDPR requirements. As a result, the supervisory authority imposed a fine of PLN 25,000 on the university.
The data breach involved release on the university’s internet platform of recordings showing the course of a practical exam in paediatrics. The students did not agree to the publication of the exam recordings (showing their student IDs or ID cards), and were not informed of their disclosure by the university.
Over a dozen persons notified PUODO of the data breach. The authority found that it affected 156 students of the Medical University of Silesia, and included release of access to all data in their IDs and student cards.
The full text of the decision of 5 January 2021 (DKN.5131.6.2020) is available on the authority’s website.
A data breach due to customer error is also reportable
The insurance company Warta (Towarzystwo Ubezpieczeń i Reasekuracji Warta SA) did not report a personal data breach to PUODO or data subjects, contrary to the requirements of the GDPR. As a result, the supervisory authority imposed a fine of PLN 85,000 on the company.
This time, according to PUODO, the data breach consisted of transmission by email of an insurance policy to an unauthorised addressee, by an insurance agent who was a processing entity for Warta. The incident involved only two Warta customers and included their name, residential or mailing addresses, PESEL number, phone number, and email address. PUODO learned of the breach from an unauthorised addressee who came into possession of documents not intended for him.
In the course of the proceedings, PUODO stated that the fact that the breach occurred as a result of a mistake by a customer, who provided the controller with an incorrect email address, did not affect the finding that there was a data protection breach.
The full text of the decision of 9 December 2020 (DKN.5131.5.2020) is available on the authority’s website.
Taking care of personal data security is one of the basic obligations under the General Data Protection Regulation. In this context, the burden of selecting and implementing appropriate technical and organisational measures (given the risk level) usually falls on the data controller. In making this assessment, the controller should take into account the state of technical knowledge, the implementation cost, the nature, scope, context and purposes of the processing of personal data, and the risk of violation of rights or freedoms of natural persons, with varying degrees of probability and seriousness.
The data controller’s responsibilities are dynamic. Under the GDPR, they include regular testing, measurement and assessment of the effectiveness of the technical and organisational measures ensuring security of the processing. And if there is a breach, as a rule the controller must immediately notify the supervisory authority and the data subjects accordingly.
As shown by the decisions discussed above, the President of the Personal Data Protection Office in Poland is not lowering the high bar set by EU lawmakers.
A breach of personal data protection law may result in imposition of a fine up to EUR 20 million on the data controller or, in the case of an enterprise, up to 4% of its total annual worldwide turnover in the previous financial year.
Aleksandra Drożdż, M&A and Corporate practice, Wardyński & Partners
Jakub Gerula, M&A and Corporate practice, Banking & Project Finance practice, Wardyński & Partners