Polish DPA: The controller should carry out a fair risk analysis

21 June 2021

The Polish Data Protection Authority has imposed an administrative fine on Sopockie Towarzystwo Ubezpieczeń ERGO Hestia S.A. in the amount of almost PLN 160 000 (EUR 35 000) for failing to notify a personal data protection breach. In addition, the company was fined for failing to communicate the breach to the data subject, which the supervisory authority also required it to do.

The Polish DPA was informed of the situation by the insurance intermediary company. In the process of data processing, it played a dual role. On the one hand, it was a controller, and on the other hand, a processor acting for insurance companies. The breach consisted in the sending by email by the financial intermediary worker to the wrong recipient an analysis of insurance needs and an insurance offer containing data such as a name, surname, PESEL Number (Polish acronym for "Universal Electronic System for Registration of the Population”), city, postal code or information about the subject of insurance. The entity, being a controller in the form of name and surname, decided to notify a data breach to the Polish DPA in relation to the disclosed personal data contained in the attachments. It considered that the combination of these data in conjunction with the data contained in the attached documents could result in a breach with a risk to the rights or freedoms of a natural person. In the wrongly sent correspondence there were personal data contained in offers and calculations from several insurance companies. The entity that committed the breach acted at the same time as the processor of the insurance companies and therefore notified them of the breach. The verification carried out by the Polish DPA showed that, in connection with this incident, several insurance companies, acting as controllers, had notified the data breach. No such notification has been received from Sopockie Towarzystwo Ubezpieczeń ERGO Hestia S.A.

The Polish DPA asked the company for explanations. The company confirmed that the personal data breach had indeed occurred, however, based on the performed assessment in terms of the risk to the rights and freedoms of natural persons, it was concluded that no breach occurred that would require notifying the Polish DPA and notifying the data subject. It should be noted that the assessment was made using a form developed by the company.  Moreover, the risk analysis carried out by the company raised doubts of the supervisory authority and was not carried out in a correct manner. Errors, as well as irregularities in the assessment carried out, consisting in particular in the underestimation of results in particular criteria, the lack of consideration of significant factors for particular criteria, or taking into account factors, which should not be applied, indicate that the analysis was carried out in an arbitrary manner and was not used as a tool to help the company assess whether it should notify the breach to the supervisory authority and communicate the breach to the data subject, but rather to demonstrate the absence of such obligations.

In addition, the company provided a statement made by an unauthorised recipient of the message indicating that he was not in possession of the documents sent and that he was not aware of the content of the documents attached to the message, as he had not read them before deleting the message. However, such a statement does not exclude the assumption that there has been a high risk to the rights or freedoms of the data subject, nor does it exclude the possibility of adverse effects in the future.

In the opinion of the Polish DPA, a security breach occurred in this case because the personal data was made available to an unauthorised recipient, who cannot be considered a "trusted recipient", and the scope of the data determines that there was a high risk to the rights or freedoms of natural persons. This gives rise to an obligation on the part of the company to notify the personal data breach to the supervisory authority.

In the opinion of the Polish DPA, the fine will be effective and will fulfill its function.


The original press release is available in Polish here

The full text of the decision is available in Polish here

For further information, please contact the Polish DPA: kancelaria@uodo.gov.pl


The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.