Long cooperation between controller and processor does not guarantee data security – an administrative fine imposed by the Polish SA

8 February 2023

Background information

  • Date of decision: 8 February 2023 
  • Cross-border case or national case: National case
  • Legal references: Article 83 (1-3), Article 83 (4) (a), Article 83 (5) (a) GDPR (General conditions for imposing administrative fines), Article 5 (1) (f) and (2) GDPR (Principles relating to processing of personal data),  Article 24 (1) GDPR (Responsibility of the controller),  Article 25 (1) GDPR (Data protection by design and by default), Article 28 (1) and (3) GDPR (Processor),  Article 32 (1) and (2) GDPR (Security of processing),  Article 57 (1) (a) (h) GDPR, Article 58 (2) (d) and (i) GDPR
  • Decision: Administrative fine
  • Key words: Data security,   Administrative fine,  Personal data breach

 

Summary of the Decision

 

Origin of the case

The Polish SA received a personal data breach notification consisting in the loss of data confidentiality. In the notification, the controller also provided the details of the processor providing comprehensive IT services. In addition, the Polish SA also obtained information from media reports about the personal data breach, including, among other things, insurance policies confirming the conclusion of insurance contracts with various insurance companies in the period from May 2015 to November 2020, which were publicly available in IT resources belonging to the controller. The controller confirmed that the personal data breach notification submitted to the SA relates to the same incident as described by the media.

 

Key Findings

As established, the breach occurred when a shared working resource containing a file repository was separated and made available to employees on the local network and remotely. In the case at hand, it was necessary to examine whether the entities had performed a risk analysis, and whether, based on that analysis, they had identified and applied technical and organisational measures to ensure the level of security of personal data corresponding to that risk. In the opinion of the SA, however, such a targeted analysis was not carried out, and the entities contented themselves only with general assumptions. Explanations from both the controller and the processor indicated that these entities only applied the controller's internal regulations, among other things, acting on the basis of the personal data protection policy. The lack of a risk analysis resulted in the selection of inappropriate measures.

 

Decision

The Polish SA imposed an administrative fine of more than EUR 7,300 (PLN 33,000) on a controller who lost the confidentiality of personal data. In addition, the supervisory authority ordered the controller to stop entrusting data processing to an entity with which they have cooperated so far on the basis of contract with serious deficiencies. In the case in question, changes to the information system were not made on the basis of specific procedures, and the correctness of the changes was not verified after they were made. Due to the failure to implement appropriate technical and organisational measures to ensure the security of personal data, an administrative fine was also imposed on the processor. The controller failed to verify the processor's implementation of changes to the IT system in which personal data was processed.

 

For further information: PL: Decyzja - DKN.5131.50.2021

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.