Record-breaking fine for breaching GDPR laws in Poland

The fine was imposed for failing to implement appropriate technical and organisational measures to ensure personal data security and for failing to verify the processor. What is more the processor which acted on behalf of the controller received a fine of 250 thousand zloty.

The controller notified the supervisory authority of a data protection breach. The breach involved a failure to protect personal data against unauthorised access while creating an additional database of the controller's customers. As a result, data were leaked and accessed by unauthorised persons. The additional database was being created by the processor on behalf of the controller. The breach of confidentiality involved personal data of the controller's customers, such as first and last name, address of residence or stay, PESEL number (a unique identification number assigned to Polish citizens and a specific group of foreigners), number of identity document or contact details. The notification said that personal data of 137,314 customers were affected by the breach. The controller learned about the breach from two independent Internet users who informed it that they had unauthorised access to the database.

It is true that in its agreement with the processor the data controller had set out personal data security requirements to follow, including pseudonymisation and encryption of personal data. However, in the course of modifications to the system, real personal data of the controller's customers were used. Moreover, the applied safeguards were not checked for their effectiveness before the creation of the additional database, in particular the required risk analysis was not carried out. Neither were the security measures tested in the course of work carried out for that purpose.

The controller's failure to comply with the adopted practice of implementing changes in the IT environment based on internal regulations and failure to verify the processor’s activities to improve the functioning of the service further aggravated the circumstances. According to the GDPR, it is the controller that implements appropriate technical and organisational measures so that the processing is performed in compliance with the regulations. The implementation of technical and organisational measures does not mean that the controller is required to apply relevant laws and rules for processing personal data in its organisation on a one-off basis. It means that the controller is also required to regularly review these measures and update the adopted solutions, if necessary.

Moreover, the controller is also responsible for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Both implementing appropriate security measures and their testing cannot be a one-off action. It should be an ongoing process where the controller reviews and, if necessary, updates the previously adopted safeguards.

The supervisory authority did not accept the controller's arguments that it had been collaborating with the processor for a long time, even before the GDPR came into force. The controller was still obliged not only to sign the personal data processing agreement but also to duly verify the processor and its planned activities for their compliance with the GDPR requirements. Therefore, the supervisory authority imposed an administrative fine of a record amount in Poland so far.

An important lesson for data controllers from this case is that they need to know how the entity to which the data are provided operates and to have tools to verify its activities. The rules of liability for a possible data breach are also worth considering as it may be an important safeguard for the controller for the future, although it is unfortunately irrelevant in proceedings before the supervisory authority.