Polish SA: administrative fine of 81 000 € for failure to implement appropriate technical and organisational measures to ensure security

Background information

• Date of final decision: 12 November 2024
• National case
• Legal Reference (s): Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default),  Article 32 (Security of processing),  Article 5 (Principles relating to processing of personal data), Article 28 (Processor),  Article 34 (Communication of a personal data breach to the data subject),  Article 33 (Notification of a personal data breach to the supervisory authority)
• Decision: Administrative fine, Compliance order
• Key words: Administrative fine, Data subject rights, Personal data breach, Principles relating to processing of personal data, Data security, Responsibility of the controller

Summary of the Decision

Origin of the case  

The company notified that it had lost access to customer and employee data because of a ransomware attack. The database contained data of, inter alia, former and current employees: identifications numbers (PESEL), ID cards, first and last names, parents' names, dates of birth, bank account numbers, home or residence addresses, email and telephone number. According to the company, its employee disabled its anti-virus programme and this enabled the ransomware attack. According to the controller, however, the incident was short-lived and the company managed to regain access to the data. It also considered that the purpose of the attack was not to obtain data, but to blackmail. Consequently, it considered that there was no high risk of breaching the rights or freedoms of individuals. The company (controller) communicated the facts to the data subjects. However, it did so in a flawed manner, and did not respond to the comments of the Polish SA in that regard.

The President of the Polish SA comprehensively considered the evidence gathered in the case. He also asked the company (data controller) what solutions it had implemented after the attack. As a result, the President of the Personal Data Protection Office found that the data controller did not implement appropriate technical and organisational measures that would mitigate the risk to the data. This was because, contrary to the indications of the GDPR the controller had not carried out an adequate risk analysis. 

In these circumstances, the risk should have been combined with the possibility of malware. One of the key methods to prevent such attacks is to use up-to-date software for all elements of the IT infrastructure. This was not done by the company, as it failed to identify such a threat.

Key Findings 

Besides the controller's failure to implement appropriate technical and organisational security measures on the basis of its risk analysis, the fine is imposed with respect to the failure to verify that the processor provides sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and protects the rights of data subjects (point I(b) of the operative part of the decision); and to the incorrect communication to data subjects (point I(c) of the operative part of the decision).

The controller also failed to comply with the principle of accountability under the GDPR (Article 5(2)) both before and after the incident. At no stage of the processing of personal data did the controller precisely identify all identifiable risks or threats, which made the implemented security measures ineffective. The measures implemented after the attack were also inadequate: the controller was not able to demonstrate that they were appropriate to the risks because it had not examined the risks.

The controller indicated that a person (human factor) was at fault, but, by its own admission, the controller had only conducted two data protection training sessions and only one before the incident. This is not enough if the controller believes that the ‘human factor’ poses a risk to data in its organisation.

The President of the Personal Data Protection Office also found misconduct on the part of the controller in notifying its former as well as current employees of a breach in the protection of their personal data.

Furthermore, the President of the Personal Data Protection Office noted the liability of the partners of the civil partnership entrusted by the controller with data processing. He pointed out that they failed to assist the controller in complying with its obligation to implement adequate technical and organisational measures ensuring the security of personal data processing. Such assistance should have consisted of informing the controller of the lack of adequate security measures for the server used to process personal data, irrespective of whether this lack resulted in its use by the perpetrators of the ransomware attack and, as in the concerned case, the occurrence of a personal data breach. Lastly, the processor neglected over the years to inform the controller about the vulnerabilities present in the server's software (while one of them was successfully exploited by the perpetrators of the criminal action) and about the need to upgrade the operating system to the latest possible version or to use other and newer logical solutions.

Decision

The President of the Personal Data Protection Office fined a company selling, inter alia, burglar-proof doors, 81 000 € thousand for infringement of Articles 5, 24, 25, 28, 32, 33 and 34 of the GDPR.

For further information: national decision (Polish)