Background information
- Date of decision: 31 May 2023
- Cross-border case or national case: National case
- Legal references: Article 57(1)(a)(h), Article 58(2)(i), Article 83(1-3), Article 83(4)(a) Article 83(5)(a) Article 5(1) (f), Article 5(2), Article 24(1), Article 25 (1), Article 32 (1) (2), Article 33 (1) and Article 34 (1) (2)
- Decision: Administrative fine
- Key words: Administrative fine, Cooperation, Employment, Notification of personal data breach
Summary of the Decision
Origin of the case
The Polish SA received information from a third party indicating the loss of documentation kept in electronic form by the controller. This documentation contained, inter alia, personal data of the controller's employees and persons who were parties to civil law contracts. In relation to this information, the supervisory authority addressed to the controller further letters requesting for explanation.
Key Findings
The controller admitted that the ransomware attack had resulted in the blocking of access to the personal data of the company's employees. It could not decipher the data, so it assumed that it would be most beneficial to refrain from interfering in the system. The controller did not notify the personal data breach to the supervisory authority. In the opinion of the controller, the incident did not constitute an incident having the characteristics of a data breach within the meaning of the GDPR. The Polish SA, taking into account the scope of personal data processed, as well as the categories of persons, assessed that the controller was obliged to implement appropriate technical and organisational measures that would ensure an adequate level of data protection. In the present case, the cooperation with the controller, which was not satisfactory, was also relevant for its assessment.
Decision
Failure to implement appropriate technical and organisational measures to ensure the security of personal data processing and failure to regularly test, measure and evaluate the effectiveness of the measures used were among the reasons for the administrative fine of over EUR 10 500 (PLN 47,000) imposed by the Polish supervisory authority.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.