The Polish Data Protection Authority has imposed an administrative fine of PLN 100,000 on P4 company for failing to notify the supervisory authority within 24 hours after having detected a personal data breach.
The reason for the administrative fine is that the company breached the provisions of the telecommunications law and the Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications. Under the provisions of the telecommunications law, a telecommunication undertaking - the controller - not only has to protect the personal data of its customers, but also, in the event that a breach of the security of personal data is detected, it is obliged to notify the data protection authority, as well as the subscriber or the end user whose data has been breached. In addition, under these provisions, the data controller is required to notify the supervisory authority of the personal data breach within 24 hours.
This decision addresses irregularities with respect to the October 2020 data breach notification and with respect to the four December 2020 data breach notifications that were sent as a single mail to the Polish DPA. Thus, a total of five data breaches, notified more than 24 hours after their detection, are covered by the proceedings.
The company explained in the proceedings that the notifications of personal data breach made after the lapse of 24 hours were related to an unintentional mistake of the company’s employees responsible for sending correspondence. The error consisted, inter alia, in the failure to enter the correspondence into the logbook, which resulted in its return by the postal operator.
However, it is important to note that the breach of the deadline for notifying data protection security incidents is not a one-time event. These notifications were not the first ones that the company submitted to the supervisory authority after 24 hours of its detection. The Polish DPA also repeatedly sent letters to the company for submitting explanations regarding the notification of breaches after the deadline.
The Polish DPA has informed the company several times that the personal data breach notification can be made in two ways: electronically and by post; and has indicated that the fastest way is to send the notification via the business.gov.pl platform or the ePUAP platform, which ensures compliance with the deadline set out in the Regulation 611/2013.
The company did not draw any conclusions and, in particular, did not change the way it organised the dispatch of correspondence concerning notifications of personal data breaches addressed to the Polish DPA, continuing to send it through the postal operator, which required the involvement in the process of, inter alia, the company’s employees responsible for its dispatch. In particular, the errors of these employees resulted in the company's failure to meet the aforementioned deadline. The supervision over employees is the responsibility of each employer, that is the data controller. Therefore, it can be concluded that the process of sending notifications of the breach notification was improperly organised in the company. Repeated personal data breach exceeding the 24-hour deadline testify to the failure to apply the appropriate measures to eliminate similar incidents in the future.
It is noted that the company changed its practice of notifying the supervisory authority in February this year. From then on, breaches have been submitted by the company via the ePUAP platform.
The deadline of 24 hours for notification of a data breach arising from Regulation 611/2013 is not accidental. For is important that the Polish DPA reacts in a timely manner to breaches to prevent or at least limit possible adverse effects for data subjects. This refers, for example, to situations where the breach may lead to identity theft, financial loss or breach of legally protected secrets. Such situations may occur when the scope of disclosed data includes, for example, information appearing in identity cards, thus not only name and surname, but also a PESEL number (personal identification number), document number, an address.
The purpose of notifying breaches to the Polish DPA is primarily to protect the rights or freedoms of natural persons, but also to assess by the supervisory authority whether the controller has correctly fulfilled its obligation to communicate the breach to the data subjects, or whether it has also taken appropriate measures to minimise the risk of a similar breach occurring in the future.
The fine imposed, in the opinion of the Polish DPA, is adequate to the established breach of provisions.
The full text of the decision is available in Polish here
For further information, please contact the Polish DPA: kancelaria@uodo.gov.pl
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.