Comitetul European pentru Protecția Datelor

Noutăți naționale

On this page you will find news on GDPR enforcement by the national supervisory authorities. The press releases gathered here do not constitute official EDPB communication nor an endorsement. They are published strictly for information purposes and are represented here as they appeared on the supervisory authority's website or other channels of communication. Therefore, these news items are only available in English or in the Member State's official language with a short introduction. Any questions regarding these news releases should be directed at the supervisory authority concerned. You can find all supervisory authorities here.
13 January 2021

The inability to quickly identify the threat and remove it led the company ID Finance Poland to data loss. Therefore, the President of the Personal Data Protection Office (UODO) found that the company had not implemented appropriate technical and organizational measures, which resulted in a loss of confidentiality of the personal data principle, and imposed an administrative fine on the company in the amount of over PLN 1 million (EUR 250,000).

The punished company (owner of a lending platform MoneyMan.pl) did not respond adequately to the signal about gaps in its security. It did not check quickly enough the information that its client’s data was available on one of its servers. Such notification was not treated seriously, so a few days after the company received the signal, an unauthorized person copied the data and then deleted it from the server. The person demanded a ransom for returning the stolen information. Only then did the company start analysing the security features on its servers and notified data breach to the supervisory authority at the same time. 
In the proceedings, the UODO established that the breach took place following the failure to restore the appropriate security configuration after one of the servers operated by the processor (hosting company) was restarted. The controller was notified about this by one of its cybersecurity specialists, who detected the vulnerability and indicated sample, publicly available information. Instead of diligently checking the received notifications and monitoring the processor, whether it duly dealt with the case in terms of checking the security, the controller had doubts about whether this was an attempt to extort other data from him, which he indicated in his correspondence to the processor. As a result, they did not immediately check the system’s identified vulnerabilities and a few days later, the data was stolen from this server.

This breach would not have occurred if the controller had immediately reacted appropriately to the information that the data on his server was unsecured. In the opinion of the Personal Data Protection Office, the controller should maintain the ability to quickly and effectively identify any breaches in order to be able to take appropriate action. Moreover, the controller should be able to quickly investigate the incident in terms of whether there has been a data breach and take appropriate remedial action.

The supervisory authority also found that the processor's lack of a sufficiently quick response to the notification of a system vulnerability does not exclude the controller's responsibility for the data breach. The controller must be able to detect, address, and notify data breach - this is a critical element of technical and organizational measures.

In the opinion of the UODO, the company, despite promptly providing the processor with information about a potential vulnerability in the server's security, did not take sufficient action. The proceedings showed that the controller briefly analysed the signal received, did not take it seriously and did not oblige the processor to deal with the case properly. 

When imposing a fine for the loss of the confidentiality of personal data due to a series of negligence by the controller, the UODO took into account the scale of the breach and the scope of the stolen data. In addition, because unencrypted passwords have also leaked, it is possible to use these data to log in to different customer accounts, if they used the same login (e.g. e-mail) and password on other websites. In establishing the amount of the fine, the authority also took into account the controller's delay in taking preventive measures.

The amount of the fine should fulfil both a repressive and a preventive function. In the opinion of the authority, it should prevent similar breaches in the future both in the penalized company and at other controllers’.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
13 January 2021

Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. (WARTA S.A. Insurance and Reinsurance Company) infringed the provisions of the General Data Protection Regulation, because it did not notify a personal data breach to the President of the Personal Data Protection Office. The supervisory authority therefore imposed a fine on the company in the amount of PLN 85 588 (EUR 20,000).

In May 2020, the Personal Data Protection Office (UODO) received information from a third party about the personal data breach which consisted in sending by e-mail an insurance policy by an insurance agent, being a processor for the WARTA S.A. Insurance and Reinsurance Company, to an unauthorised addressee.

The attached document contained personal data in the scope of, among others, names, surnames, addresses of residence, PESEL numbers (personal identification numbers) and information concerning the subject matter of insurance (passenger car). Important in this case is the fact that the supervisory authority has been informed of the personal data breach by an unauthorised addressee who has taken possession of documents not intended for him or her, and the confidentiality of the persons concerned has been breached. 

Therefore, the supervisory authority requested the Company to clarify whether, in connection with sending of electronic correspondence to an unauthorised recipient, an analysis was carried out in terms of the risk to the rights and freedoms of natural persons necessary to assess whether there was a data protection breach resulting in the need to notify the UODO and the persons affected by the breach. In the letter, the supervisory authority indicated to the company how it could notify the breach and called for explanations. 

The Company confirmed that there had been an incident related to a personal data breach and that an assessment had been conducted in terms of the risk to the rights and freedoms of natural persons. It was on the basis of that assessment that the fined company found that the breach did not require notification to the UODO. The company considered that the breach was caused by sending the insurance policy document to the wrong e-mail address indicated by the customer himself or herself. In addition, the unauthorised recipient addressed the company with a request for and the company asked for a permanent deletion of the message with a request for feedback confirming its deletion.

Despite the letter from UODO requesting clarification, the company still did not notify a personal data breach and did not communicate the incident to the persons affected by the breach. The supervisory authority has therefore initiated administrative proceedings. It was only as a result of the initiation of the proceedings that the company notified a personal data breach and informed two persons affected by the breach.

Such action by the company resulted in a long duration of the breach, which must be regarded as an aggravating circumstance. All the more so, since five months have elapsed from being informed of the personal data breach to the notification of the personal data breach to the supervisory authority.

In the course of the proceedings, the UODO considered that the fact that the breach occurred as a result of a mistake of a customer who provided the wrong e-mail address cannot cause the lack of qualification of the event as a personal data breach. When allowing the possibility to use e-mail for communication with the customer, the controller should be aware of the risks associated with, for example, incorrect e-mail address provided by the customer. Therefore, in order to minimise these risks, the controller should take appropriate organisational and technical measures, such as verification of the address provided or encrypting the documents sent in this way.

Also, the fact of requesting the wrong recipient to permanently delete the correspondence received cannot determine that a risk to the rights and freedoms of the data subjects is not high. The controller is not sure whether the unauthorised addressee has not made, for example, a copy of the documents or has not recorded them. 

When imposing an administrative fine, the President of the UODO also took into account mitigating circumstances, such as the fact that the breach concerned the personal data of two persons and that the company asked the wrong recipient to permanently delete the correspondence received. However, it is worth mentioning that a request for deletion of data is not tantamount to guaranteeing that the data is actually erased by an unauthorised person and does not preclude possible negative consequences of their use.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
13 January 2021

 

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 1.9 million (EUR 460,000) on Virgin Mobile Polska for the lack of implemented appropriate technical and organisational measures to ensure the security of the processed data.

UODO stated that the company infringed the principles of data confidentiality and accountability specified in the GDPR. Virgin Mobile did not carry out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the data processed. Activities in this regard were only undertaken when there were suspicions of vulnerability or in connection with organisational changes. Moreover, no tests were carried out to verify safeguards related to the transfer of data between applications related to the servicing of buyers of prepaid services. In addition, the vulnerability associated with data exchange in these systems was used by an unauthorised person to obtain data from some of the company’s clients.

In connection with a data breach, as a result of which an unauthorised person obtained customers data from one of the databases, the Supervisory Authority carried out the inspection at the company. As a result of the irregularities found, the authority instituted administrative proceedings finalised with the imposition of a fine.
In the course of the proceedings, the UODO disagreed with the controller which claimed to have tested and monitored the technical and organisational measures taken to ensure the security of personal data. The Supervisory Authority considered that these activities were neither regular nor comprehensive, as they were carried out incidentally and did not cover all the systems in which the data was processed.

In the course of the proceeding, it turned out that data exchange between applications in the IT system was to take place after verification of certain parameters from registration applications of prepaid services’ customers. The aim was for the programme to check whether the request for the transfer of the data had been received from the authorised entity. In practice, this verification did not work, and before its implementation the mechanism was not tested. However, vulnerability in this process (consisting in failure to verify the relevant parameters) was used by an unauthorised person to obtain the data. It was only after this incident that appropriate activities were undertaken regarding the repair of this functionality in the company’s IT system.

The Supervisory Authority considered that the implementation of a data processing system for use without proper validation of assumed parameters was a flagrant breach by the controller.

In imposing a fine, the UODO took into account that the breach committed by the operator was serious as it posed a high risk of adverse effects of legal remedies for a large number of persons (e.g. the risk of identity theft). It should be remembered that although unauthorised persons had short-term access to the systems, but sufficient to collect large amounts of data. Moreover, the breach itself was long-term, with the vulnerability of data leakage existing for a long time.
The Office also took into account mitigating circumstances, such as the good cooperation of the controller, the quick removal of the breach after its detection, but also the implementation of additional solutions to further improve the security of the data processed.

However, given the scale and gravity of the breaches, the UODO considered that it would be disproportionate to apply remedies other than an administrative fine.

The fine is intended to prevent the company from committing similar negligence in the future.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.