Background information
- Date of final decision: 10 October 2024
- National case
- Legal Reference(s): Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 32 (Security of processing), Article 5 (Principles relating to processing of personal data), Article 28 (Processor)
- Decision: Administrative fine, Compliance order
- Key words: administrative fine, Data subject rights, Personal data breach, Principles relating to processing of personal data, Data security, Responsibility of the controller
Summary of the Decision
Origin of the case
In the course of the work to transfer the data to the new HR and payroll system of the Municipal Social Welfare Centre (MOPS) and the Municipal Sports and Recreation Centre (MOSiR), the data was not effectively safeguarded, even though these institutions had procedures for data safeguarding. For the procedure itself to change the HR and payroll system at MOSiR and MOPS, no risk analysis for the processing of personal data was carried out.
A MOPS' employee also working for MOSiR shared the data with an employee of the company carrying out the transfer of the data. They were ripped onto a pendrive, which, however, was not encrypted. The company employee then ripped some of the data onto the company laptop. After this operation, the pendrive was not wiped, as stipulated by that company's procedure.
An employee of the company went to another city and lost this pendrive there. The person who found it first gave an announcement in the local media, and as this did not yield results, this person accessed the pendrive. Based on the names of the folders, the person guessed that it contained information concerning MOPS and MOSiR from Kutno and contacted them.
Thus, these institutions realised that the pendrive containing personal data had been lost. They notified it to the President of the Personal Data Protection Office. The pendrive contained the data of approximately 1,000 former and current employees and collaborators of MOSiR and the data of 549 employees, pensioners and former employees, contractors and participants of MOPS intervention works.
The scope of the data of the two institutions was different, but in total, data such as first names, surnames, parents' first names, dates of birth, bank account numbers, residence or domicile addresses, PESEL (personal identification number), e-mail addresses, data on earnings and/or possessions, mother's family names, ID card series and numbers, telephone numbers, data on holidays, sick leaves, data on completed schools, employment history, children's names and their dates of birth could be found on the pendrive.
Key Findings
The President of the Personal Data Protection Office has investigated the case and found that if a risk analysis had been carried out for the process of replacing the HR and payroll system, there would not have been a personal data breach. Because of this, no one controlled the process and no one checked whether the procedures of the company carrying out the change of the HR and payroll system were adequate.
The obligations of those involved in the processing of personal data should not end with a two-step process, i.e. carrying out a risk analysis and implementing appropriate technical and organisational measures to ensure the security of the personal data processed.
Both MOPS, MOSiR and the company changing the HR and payroll system should have verified that the personal data was shared in a way that took into account the risk of loss of the carrier/pendrive and that such pendrive was adequately protected against unauthorised access (e.g. by using a password required to open all files or folders of files containing personal data). If this had been done, a personal data breach could have been prevented.
Decision
The President of the Personal Data Protection Office has imposed fines of 3 436€ and 4 581€ on two municipal institutions in Kutno for infringement of Articles 5, 24, 25, 28, 32 of the GDPR. An unencrypted pendrive with the personal data of approximately 1,500 people was lost. A fine of more than 5 700€ was also received by the company servicing these institutions, in terms of changing the HR and payroll programme, for infringement of Articles 28 and 32 of the GDPR.
For further information: decision in national language (Polish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.