Background information
- Date of decision: 20 April 2023
- Cross-border case or national case: National case
- Legal references: Article 5 (Principles relating to processing of personal data), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 32 (Security of processing)
- Decision: Administrative fine, Compliance order
- Key words: Administrative fine, Data security, Data subject rights, Encryption, Personal data breach, Responsibility of the controller, Technical and organisational measures
Summary of the Decision
Origin of the case
The reason for conducting administrative proceedings and issuing the decision was the notification of a personal data breach by the controller. The breach consisted of the receipt by the addressee of a damaged mail, which at the same time lacked a data carrier of the pendrive type - an attachment to the cover letter. This device contained a recording of a divorce hearing containing personal data of several persons. Both, the file on the device and the pendrive itself, were not encrypted.
It should be emphasised that the controller had internal regulations relating to security policy and the protection of personal data, which provided for the protection of such data carriers, which, as the proceedings showed, was not respected in practice.
Key Findings
According to the Polish supervisory authority, the protection of data stored on external data carriers must focus on proper protection of the data stored on such a carrier against unauthorised access of third parties in case of theft or loss. The controller, on the other hand, has carried out a risk analysis and defined measures to mitigate the consequences of a breach only in the case of data carrier failure. Therefore, it should be considered that the risk assessment was carried out with incorrect values.
In the present case, the verification of the procedures practised was not effective, contrary to the claims of the controller, since the employees of the law firm did not comply with the internal regulations when sending the external data carrier that went missing, which ultimately led to the breach.
Decision
The President of the Personal Data Protection Office has imposed an administrative fine of more than 5 300 EUR (23 580 PLN) on the Disciplinary Officer of the Bar Association for breaching the provisions of the GDPR by failing to implement appropriate technical and organisational measures to ensure the security of the processed personal data.
In addition, the President of the Polish supervisory authority ordered that the processing operations should be made compliant with the provisions of the GDPR within six months from the date of delivery of the decision.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.